Lucene search

Gjoko KrsticZSL-2013-5127

HistoryFeb 18, 2013 - 12:00 a.m.

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

2013-02-1800:00:00

Gjoko Krstic

zeroscience.mk

6 Medium

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:N/A:P

0.721 High

EPSS

Percentile

98.1%

JSON

Title: Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability
Advisory ID: ZSL-2013-5127
Type: Local/Remote
Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information
Risk: (3/5)
Release Date: 18.02.2013

Summary

Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures.

Description

Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.

--------------------------------------------------------------------------------

` /install.php:

113: if (!empty($GET[‘dl’]) && file_exists(PHPWG_ROOT_PATH.$conf[‘data_location’].'pwg’.$GET[‘dl’]))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf[‘data_location’].'pwg’.$_GET[‘dl’];
116: header(‘Cache-Control: no-cache, must-revalidate’);
117: header(‘Pragma: no-cache’);
118: header(‘Content-Disposition: attachment; filename=“database.inc.php”’);
119: header(‘Content-Transfer-Encoding: binary’);
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }
`
--------------------------------------------------------------------------------

Vendor

Piwigo project - <http://www.piwigo.org>

Affected Version

2.4.6

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a

Vendor Status

[15.02.2013] Vulnerability discovered.
[15.02.2013] Initial contact with the vendor.
[15.02.2013] Vendor responds asking more details.
[16.02.2013] Sent details to the vendor.
[16.02.2013] Vendor confirms the vulnerability.
[16.02.2013] Working with the vendor.
[18.02.2013] Vendor releases fix for this issue.
[18.02.2013] Coordinated public security advisory released.
[19.02.2013] Vendor releases version 2.4.7.

PoC

piwigo_rd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://piwigo.org/bugs/view.php?id=2843>
[2] <http://cxsecurity.com/issue/WLB-2013020126>
[3] <http://www.exploit-db.com/exploits/24520>
[4] <http://packetstormsecurity.com/files/120380>
[5] <http://piwigo.org/releases/2.4.7>
[6] <http://www.osvdb.org/show/osvdb/90357>
[7] <http://www.securityfocus.com/bid/58016>
[8] <https://vulners.com/cve/CVE-2013-1469>

Changelog

[18.02.2013] - Initial release
[19.02.2013] - Added reference [3] and [4]
[20.02.2013] - Added vendor status and reference [5] and [6]
[21.02.2013] - Added reference [7]
[02.03.2013] - Added reference [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability


Vendor: Piwigo project
Product web page: http://www.piwigo.org
Affected version: 2.4.6

Summary: Piwigo is a photo gallery software for the web that comes
with powerful features to publish and manage your collection of
pictures.

Desc: Input passed to the 'dl' parameter in 'install.php' script
is not properly sanitised before being used to get the contents of
a resource or delete files. This can be exploited to read and delete
arbitrary data from local resources with the permissions of the web
server via directory traversal attack.

====================================================================
/install.php:
-------------

113: if (!empty($_GET['dl']) &amp;&amp; file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
123:   exit();
124: }

====================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

Vendor Patch: http://piwigo.org/bugs/view.php?id=2843



15.02.2013


--

http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

</p></body></html>