← Advisories

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Medium

Advisory ID

ZSL-2013-5127

Release Date

18 February 2013

Vendor

Piwigo project - http://www.piwigo.org

Affected Version

2.4.6

CVE

CVE-2013-1469

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

Summary

Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures.

Description

Input passed to the 'dl' parameter in 'install.php' script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.

/install.php:
-------------

if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
{
  $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
  header('Cache-Control: no-cache, must-revalidate');
  header('Pragma: no-cache');
  header('Content-Disposition: attachment; filename="database.inc.php"');
  header('Content-Transfer-Encoding: binary');
  header('Content-Length: '.filesize($filename));
  echo file_get_contents($filename);
  unlink($filename);
  exit();
}

Proof of Concept

piwigo_rd.txtTXT

Disclosure Timeline

15.02.2013Vulnerability discovered.

15.02.2013Initial contact with the vendor.

15.02.2013Vendor responds asking more details.

16.02.2013Sent details to the vendor.

16.02.2013Vendor confirms the vulnerability.

16.02.2013Working with the vendor.

18.02.2013Vendor releases fix for this issue.

18.02.2013Coordinated public security advisory released.

19.02.2013Vendor releases version 2.4.7.