Piwigo 'dl' Parameter Directory Traversal Vulnerability

Bugtraq ID:	58229
Class:	Input Validation Error
CVE:	CVE-2013-1469
Remote:	Yes
Local:	No
Published:	Feb 21 2013 12:00AM
Updated:	Feb 21 2013 12:00AM
Credit:	High-Tech Bridge SA
Vulnerable:
Not Vulnerable:

RETIRED: Piwigo 'dl' Parameter Directory Traversal Vulnerability

Piwigo is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

A remote attacker can use directory-traversal strings to retrieve arbitrary files in the context of the affected application.

Versions prior to Piwigo 2.4.7 are vulnerable.

NOTE: This BID is being retired as a duplicate of BID 58016 (Piwigo 'dl' Parameter Directory Traversal Vulnerability).

RETIRED: Piwigo 'dl' Parameter Directory Traversal Vulnerability

An attacker can exploit the issue through a browser.

The following example URI is available:

http://www.example.com/piwigo/install.php?dl=/../../local/config/database.inc.php

RETIRED: Piwigo 'dl' Parameter Directory Traversal Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

RETIRED: Piwigo 'dl' Parameter Directory Traversal Vulnerability

References:

• Piwigo Homepage (Piwigo)