PhpGedView help_text_vars.php Remote File Inclusion

2005-12-20T10:03:28
ID OSVDB:22009
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-12-20T10:03:28

Description

Vulnerability Description

PhpGedView contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'help_text_vars.php' not properly sanitizing user-supplied input to the 'PGV_BASE_DIRECTORY' variable. When the register_globals PHP option is set to 'on', a remote attacker can display the contents of local files. In addition, when the magic_quotes_gpc and the allow_url_fopen PHP options are set to 'on', a remote attacker can include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Upgrade to version 3.3.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PhpGedView contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'help_text_vars.php' not properly sanitizing user-supplied input to the 'PGV_BASE_DIRECTORY' variable. When the register_globals PHP option is set to 'on', a remote attacker can display the contents of local files. In addition, when the magic_quotes_gpc and the allow_url_fopen PHP options are set to 'on', a remote attacker can include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

References:

Vendor URL: http://www.phpgedview.net/ Security Tracker: 1015395 Secunia Advisory ID:18177 Related OSVDB ID: 22010 Other Advisory URL: http://rgod.altervista.org/phpgedview_337_xpl.html Nessus Plugin ID:20339 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-12/0243.html ISS X-Force ID: 23871 CVE-2005-4468 CVE-2005-4467 Bugtraq ID: 15983