Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Title: Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability
Advisory ID: ZSL-2013-5127
Type: Local/Remote
Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information
Risk: (3/5)
Release Date: 18.02.2013
Summary
Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures.
Description
Input passed to the 'dl' parameter in 'install.php' script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.

--------------------------------------------------------------------------------

/install.php:
-------------

113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }

--------------------------------------------------------------------------------

Vendor
Piwigo project - http://www.piwigo.org
Affected Version
2.4.6
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
Vendor Status
[15.02.2013] Vulnerability discovered.
[15.02.2013] Initial contact with the vendor.
[15.02.2013] Vendor responds asking more details.
[16.02.2013] Sent details to the vendor.
[16.02.2013] Vendor confirms the vulnerability.
[16.02.2013] Working with the vendor.
[18.02.2013] Vendor releases fix for this issue.
[18.02.2013] Coordinated public security advisory released.
[19.02.2013] Vendor releases version 2.4.7.
PoC
piwigo_rd.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://piwigo.org/bugs/view.php?id=2843
[2] http://cxsecurity.com/issue/WLB-2013020126
[3] http://www.exploit-db.com/exploits/24520
[4] http://packetstormsecurity.com/files/120380
[5] http://piwigo.org/releases/2.4.7
[6] http://www.osvdb.org/show/osvdb/90357
[7] http://www.securityfocus.com/bid/58016
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1469
Changelog
[18.02.2013] - Initial release
[19.02.2013] - Added reference [3] and [4]
[20.02.2013] - Added vendor status and reference [5] and [6]
[21.02.2013] - Added reference [7]
[02.03.2013] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk