netVigilance Security Advisory 2

PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

PHP remote code injection vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.

External References:
Mitre CVE: CAN-2004-0128
BUGTRAQ: 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior

phpGedView is an open source system for online viewing of Gedcom information (family tree and genealogy information). Multiple PHP Code Injection vulnerabilities exist in the phpGedView product. They enable a malicious user to execute commands on the server.

Release Date:
January 29 2004


SecureScout Testcase ID:
TC 17868 (Still in Development)

Vulnerable Systems:
phpGedView version 2.65.1 and prior

Vulnerability Type:
PHP Injection - force the Target to Execute a PHP file from Attackers Server

Vendor Status:
The Vendor has been notified and has Released a Version 2.65.3 that fixes the problem

(HIGH Risk no authentication needed)

- -- HTTP Request --


- -- HTTP Request --

Code impacted : [GED_File]_conf.php

123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"))
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/";
126: require($THEME_DIR."theme.php");
127: }

The require call is only vulnerable when PHP register_globals is On.

In this case you have to obtain the name of the GEDCOM File used. Just perform a http://[target]/session.php request the GEDCOM file will be in argument of the login.php call.

The attacker has to create on his web site a directory call themes/standard, and a file theme.php

For example: theme.php = <?php print "<?php phpinfo();?>" ;?>

and the request, will execute the phpinfo() command on the vulnerable target.

Cedric Cochin - netVigilance Vulnerability Research team

back to Security Advisories

    Copyrightę2004,  netVigilance, Inc.   All rights reserved