PhpGedView multiple cross-site scripting

phpgedview-multiple-xss (14212) The risk level is classified as MediumMedium Risk

Description:

PhpGedView is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could create a malicious URL link to multiple PHP scripts containing embedded code in the firstname variable, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of PhpGedView (2.65 beta 5 or later) available from the PhpGedView Web page. See references.

References:

  • BugTraq Mailing List, Mon Jan 12 2004 - 16:54:04 CST: More phpGedView Vulnerabilities.
  • PhpGedView Web page: PhpGedView Project Download Web site.
  • BID-11868: PhpGedView Descendancy.PHP Cross-Site Scripting Vulnerability
  • BID-11880: PhpGedView Index.PHP Cross-Site Scripting Vulnerability
  • BID-11882: PhpGedView Individual.PHP Cross-Site Scripting Vulnerability
  • BID-11888: PhpGedView Source.PHP Cross-Site Scripting Vulnerability
  • BID-11890: PhpGedView Imageview.PHP Cross-Site Scripting Vulnerability
  • BID-11891: PhpGedView Gedrecord.PHP Cross-Site Scripting Vulnerability
  • BID-11894: PhpGedView Gdbi_interface.PHP Cross-Site Scripting Vulnerability
  • BID-11903: PhpGedView Login.PHP URL Parameter Cross-Site Scripting Vulnerability
  • BID-11904: PhpGedView Login.PHP Username Parameter Cross-Site Scripting Vulnerability
  • BID-11905: PhpGedView Login.PHP Newlanguage Cross-Site Scripting Vulnerability
  • BID-11906: PhpGedView Relationship.PHP Cross-Site Scripting Vulnerability
  • BID-11907: PhpGedView Calendar.PHP Cross-Site Scripting Vulnerability
  • CVE-2004-0067: Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.
  • OSVDB ID: 3473: PhpGedView gdbi_interface.php pid Variable XSS
  • OSVDB ID: 3474: PhpGedView descendancy.php pid Variable XSS
  • OSVDB ID: 3475: PhpGedView index.php rootid Variable XSS
  • OSVDB ID: 3476: PhpGedView individual.php pid Variable XSS
  • OSVDB ID: 3477: PhpGedView login.php Multiple Variables XSS
  • OSVDB ID: 3478: PhpGedView relationship.php Multiple Variables XSS
  • OSVDB ID: 3479: PhpGedView source.php sid Variable XSS
  • SA26628: PhpGedView login.php Cross-Site Scripting Vulnerabilities
  • SECTRACK ID: 1018613: PhpGedView Input Validation Hole in `login.php` Permits Cross-Site Scripting Attacks
  • VUPEN/ADV-2007-2995: PhpGedView Multiple Parameter Handling Cross Site Scripting Vulnerabilities

Platforms Affected:

  • PhpGedView PhpGedView prior to 2.65 beta 5

Reported:

Jan 12, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page