Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

2013-02-18 / 2013-03-30
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: Partial

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability Vendor: Piwigo project Product web page: http://www.piwigo.org Affected version: 2.4.6 Summary: Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures. Desc: Input passed to the 'dl' parameter in 'install.php' script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack. ==================================================================== /install.php: ------------- 113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'])) 114: { 115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']; 116: header('Cache-Control: no-cache, must-revalidate'); 117: header('Pragma: no-cache'); 118: header('Content-Disposition: attachment; filename="database.inc.php"'); 119: header('Content-Transfer-Encoding: binary'); 120: header('Content-Length: '.filesize($filename)); 121: echo file_get_contents($filename); 122: unlink($filename); 123: exit(); 124: } ==================================================================== Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5127 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php Vendor Patch: http://piwigo.org/bugs/view.php?id=2843 15.02.2013 -- http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com


Back to Top