PhpGedView indilist.php Path Disclosure

2004-01-12T00:00:00
ID OSVDB:3464
Type osvdb
Reporter JeiAr(jeiar@gulftech.org)
Modified 2004-01-12T00:00:00

Description

Vulnerability Description

PhpGedView contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a specially crafted URL to the "indilist.php" script, which will disclose the server installation path resulting in a loss of confidentiality.

Solution Description

Upgrade to version 3.00.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PhpGedView contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a specially crafted URL to the "indilist.php" script, which will disclose the server installation path resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/indilist.php?alpha=\&surname_sublist=\

References:

Vendor URL: http://phpgedview.sourceforge.net/ Vendor Specific Solution URL: http://sourceforge.net/project/showfiles.php?group_id=55456 Secunia Advisory ID:10602 Related OSVDB ID: 7044 Related OSVDB ID: 7046 Related OSVDB ID: 7045 Related OSVDB ID: 7047 Related OSVDB ID: 7048 Related OSVDB ID: 7049 Related OSVDB ID: 7050 Other Advisory URL: http://www.gulftech.org/01132004.php Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-01/0089.html ISS X-Force ID: 14215 CVE-2004-0066