How to remediate – PhpGedView Detection

1. Introduction

PhpGedView Detection identifies instances of the PhpGedView genealogy program running on web servers. This is a potential information disclosure risk as older versions may be vulnerable to various attacks. Systems commonly affected are publicly accessible web servers hosting PHP applications, particularly those used for family history research or online genealogical databases. A successful exploit could lead to data breaches and compromise system confidentiality.

2. Technical Explanation

The vulnerability stems from the presence of PhpGedView on a server. Attackers can identify exposed instances and potentially exploit known weaknesses within the application’s code. Exploitation typically involves sending malicious requests to specific URLs or files within the PhpGedView installation, leading to information disclosure or remote code execution. The root cause is often due to insufficient input validation or insecure default configurations.

• Root cause: Lack of robust input sanitisation and potential for file inclusion vulnerabilities in older versions.
• Exploit mechanism: An attacker could attempt to access sensitive files by manipulating URL parameters, potentially revealing database credentials or application source code. For example, a crafted request targeting the ‘template’ parameter might allow access to arbitrary files on the server.
• Scope: Affected platforms are web servers running PHP and hosting PhpGedView versions prior to any patched releases.

3. Detection and Assessment

Confirming whether a system is vulnerable involves identifying the presence of PhpGedView and checking its version. A quick check can be performed via HTTP headers, while thorough assessment requires examining the application’s files.

• Quick checks: Use a web browser to access the base URL of the suspected server. Look for tell-tale signs like the PhpGedView logo or specific file names in the directory structure (e.g., ‘template’, ‘admin’).
• Scanning: Nessus plugin ID 164789 can identify exposed instances of PhpGedView, but results should be verified manually.
• Logs and evidence: Web server access logs may show requests to files or directories specific to the PhpGedView installation (e.g., /phpgedview/).

curl -I http://targetserver/phpgedview/ | grep Server

4. Solution / Remediation Steps

The primary solution is to update or remove PhpGedView. If the application is no longer needed, removal is recommended. If it’s required, ensure you are running the latest patched version.

4.1 Preparation

• Ensure a rollback plan is in place, including restoring backups if necessary. A change window may be required depending on the size of the installation and potential downtime.

4.2 Implementation

1. Step 1: Download the latest version of PhpGedView from http://www.phpgedview.net/.
2. Step 2: Back up the existing PhpGedView installation directory and database.
3. Step 3: Replace the old files with the new version, ensuring correct file permissions are maintained.
4. Step 4: Update the PhpGedView configuration file (config.inc.php) if necessary, especially database connection details.
5. Step 5: Restart the web service.

4.3 Config or Code Example

Before

//Example config file (potentially insecure)
$conf['template'] = 'default'; //Default template, may be vulnerable

After

//Example config file (secure - updated version)
$conf['template'] = 'secure_template'; //Updated to a secure template in the latest version.

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege limits damage from exploitation, while input validation blocks malicious data.

• Practice 1: Implement least privilege for web server accounts to reduce the impact if PhpGedView is compromised.
• Practice 2: Regularly update all PHP applications and libraries to patch known vulnerabilities.

4.5 Automation (Optional)

# Example Bash script for updating PhpGedView (requires SSH access and appropriate permissions)
#!/bin/bash
# Stop web service
sudo systemctl stop apache2
# Backup existing installation
cp -r /var/www/phpgedview /var/www/phpgedview_backup
# Download latest version
wget http://www.phpgedview.net/latest/phpgedview.zip
# Unzip the new version
unzip phpgedview.zip -d /var/www/
# Restart web service
sudo systemctl start apache2

5. Verification / Validation

Confirming the fix involves checking the PhpGedView version and verifying that known vulnerabilities are no longer present.

• Post-fix check: Access the PhpGedView installation in a web browser and check the ‘About’ page for the updated version number.
• Re-test: Re-run the Nessus scan (plugin ID 164789) to confirm that the vulnerability is no longer detected.
• Smoke test: Verify that users can still log in, view family trees, and perform basic genealogical research tasks.
• Monitoring: Monitor web server logs for any unusual activity related to PhpGedView, such as attempts to access sensitive files or execute arbitrary code.

curl -I http://targetserver/phpgedview/ | grep Server
#Expected output should show the updated version number in the response headers.

6. Preventive Measures and Monitoring

Update security baselines to include PhpGedView, add checks in CI pipelines, and establish a regular patch review cycle.

• Baselines: Update your web server security baseline or policy to require the latest version of PhpGedView.
• Pipelines: Add Static Application Security Testing (SAST) tools to your CI pipeline to scan for vulnerabilities in PHP code, including those specific to PhpGedView.
• Asset and patch process: Implement a regular patch review cycle (e.g., monthly) to ensure all web applications are up-to-date with the latest security fixes.

7. Risks, Side Effects, and Roll Back

Updating PhpGedView may introduce compatibility issues or require configuration changes. A roll back plan should include restoring backups.

• Risk or side effect 1: The update might break existing customizations or integrations with other applications. Mitigate by testing the update in a staging environment first.
• Roll back: 1) Stop the web service. 2) Restore the backed-up PhpGedView installation directory and database. 3) Restart the web service.

8. References and Resources

• Vendor advisory or bulletin: http://www.phpgedview.net/
• NVD or CVE entry: No specific CVE