PhpGedView admin.php Information Disclosure

2004-01-06T00:00:00
ID OSVDB:3404
Type osvdb
Reporter OSVDB
Modified 2004-01-06T00:00:00

Description

Vulnerability Description

PhpGedView contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a specially crafted URL uses the "admin.php" script and the "action" variable contains "phpinfo", which will disclose phpinfo() information resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.65 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Note that 2.65 is currently only available as a beta release.

Short Description

PhpGedView contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a specially crafted URL uses the "admin.php" script and the "action" variable contains "phpinfo", which will disclose phpinfo() information resulting in a loss of confidentiality.

Manual Testing Notes

http://target/phpgedview_folder/admin.php?action=phpinfo

References:

Vendor URL: http://phpgedview.sourceforge.net/ Secunia Advisory ID:10565 Other Advisory URL: http://www.security.com.vn/details.php?ID=350%20 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2004-01/0040.html Nessus Plugin ID:11982 ISS X-Force ID: 14162 CVE-2004-0033 Bugtraq ID: 9371