CVE-2004-0067 in phpGedView
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2025
The vulnerability identified as CVE-2004-0067 represents a critical cross-site scripting flaw affecting phpGedView versions prior to 2.65, with subsequent impacts extending to version 4.1. This vulnerability exposes multiple entry points within the web application framework, creating widespread opportunities for malicious actors to execute unauthorized code within user browsers. The flaw stems from insufficient input validation and output sanitization mechanisms that fail to properly escape or filter user-supplied data before rendering it in web pages. These vulnerabilities are particularly dangerous because they affect core functionality pages including descendancy displays, individual genealogy records, login interfaces, and relationship mapping features, making them accessible attack vectors across the entire application surface.
The technical implementation of this vulnerability follows the classic XSS attack pattern where malicious input is processed and stored without proper sanitization, allowing attackers to inject HTML or JavaScript payloads that execute in the context of other users' browsers. The affected files represent fundamental components of the genealogy management system, with descendancy.php handling family tree displays, individual.php managing person records, and login.php providing authentication interfaces. Each of these files processes user input through parameters that are directly incorporated into HTML output without adequate encoding or filtering. The vulnerability demonstrates a lack of proper contextual output encoding, which is a fundamental requirement in secure web application development and aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities in software applications. This weakness enables attackers to manipulate the application's behavior and potentially escalate privileges or access sensitive data.
The operational impact of CVE-2004-0067 extends beyond simple script injection, as it creates potential pathways for session hijacking, credential theft, and data exfiltration from the genealogy database. When users browse to affected pages, their browsers execute malicious scripts that can capture session cookies, redirect them to attacker-controlled domains, or inject additional malicious payloads. The widespread nature of the vulnerability across multiple files means that a single successful attack can compromise various application functionalities and user accounts. Given that phpGedView is commonly used for storing sensitive genealogical data, the potential for data breach increases significantly when attackers can execute code on user browsers. This vulnerability particularly affects systems where genealogy data contains personal information about individuals, making it a target for social engineering attacks and identity theft attempts. The attack vectors span from simple HTML injection to more sophisticated persistent XSS attacks that can remain undetected for extended periods.
The remediation approach for this vulnerability requires immediate implementation of proper input validation and output encoding mechanisms throughout the affected application components. Security patches should include comprehensive sanitization of all user-supplied parameters before processing and rendering, with particular attention to HTML encoding of dynamic content. Organizations should implement Content Security Policy headers to limit script execution and prevent unauthorized code injection. The fix must address all twelve identified files and ensure that no user input is directly incorporated into HTML output without proper escaping. This vulnerability highlights the importance of secure coding practices and input validation, as outlined in OWASP Top Ten and NIST cybersecurity guidelines, where proper encoding and sanitization of user input forms a fundamental defense against XSS attacks. Regular security testing and code reviews should be implemented to prevent similar vulnerabilities in future releases, with emphasis on the principle of least privilege and defense in depth strategies. The vulnerability also underscores the need for regular software updates and patch management processes to address known security flaws in widely-used open source applications.