CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:N/A:P
AI Score
Confidence
Low
EPSS
Percentile
97.5%
Title: Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability
Advisory ID: ZSL-2013-5127
Type: Local/Remote
Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information
Risk: (3/5)
Release Date: 18.02.2013
Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures.
Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.
--------------------------------------------------------------------------------
113: if (!empty($GET[‘dl’]) && file_exists(PHPWG_ROOT_PATH.$conf[‘data_location’].'pwg’.$GET[‘dl’]))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf[‘data_location’].'pwg’.$_GET[‘dl’];
116: header(‘Cache-Control: no-cache, must-revalidate’);
117: header(‘Pragma: no-cache’);
118: header(‘Content-Disposition: attachment; filename=“database.inc.php”’);
119: header(‘Content-Transfer-Encoding: binary’);
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }
`
--------------------------------------------------------------------------------
Piwigo project - <http://www.piwigo.org>
2.4.6
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
[15.02.2013] Vulnerability discovered.
[15.02.2013] Initial contact with the vendor.
[15.02.2013] Vendor responds asking more details.
[16.02.2013] Sent details to the vendor.
[16.02.2013] Vendor confirms the vulnerability.
[16.02.2013] Working with the vendor.
[18.02.2013] Vendor releases fix for this issue.
[18.02.2013] Coordinated public security advisory released.
[19.02.2013] Vendor releases version 2.4.7.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://piwigo.org/bugs/view.php?id=2843>
[2] <http://cxsecurity.com/issue/WLB-2013020126>
[3] <http://www.exploit-db.com/exploits/24520>
[4] <http://packetstormsecurity.com/files/120380>
[5] <http://piwigo.org/releases/2.4.7>
[6] <http://www.osvdb.org/show/osvdb/90357>
[7] <http://www.securityfocus.com/bid/58016>
[8] <https://vulners.com/cve/CVE-2013-1469>
[18.02.2013] - Initial release
[19.02.2013] - Added reference [3] and [4]
[20.02.2013] - Added vendor status and reference [5] and [6]
[21.02.2013] - Added reference [7]
[02.03.2013] - Added reference [8]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability
Vendor: Piwigo project
Product web page: http://www.piwigo.org
Affected version: 2.4.6
Summary: Piwigo is a photo gallery software for the web that comes
with powerful features to publish and manage your collection of
pictures.
Desc: Input passed to the 'dl' parameter in 'install.php' script
is not properly sanitised before being used to get the contents of
a resource or delete files. This can be exploited to read and delete
arbitrary data from local resources with the permissions of the web
server via directory traversal attack.
====================================================================
/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }
====================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
15.02.2013
--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
</p></body></html>