Removing PhpGedView - Gathering Leaves

September, 2008

Articles

General

Removing PhpGedView

Written by D.M. DeBacker

Jun 26, 2008 at 10:14 AM

Back in February, I installed phpGedView on this site and while I was not overly thrilled with the look-and-feel of the product, I felt that it did have enough features and potential for me to customize its appearance to continue to occasionally make updates to the content. However, as I was going through the other night and doing a review of the stats for this website I noticed something that I thought was little odd. The monthly stats for the website showed a sudden spike in traffic coming from an unexpected source. The stats showed for the month of May that 24% of the traffic to this site was coming from the Russian Federation whereas only 3% of the traffic was coming from Canada, UK, and Australia with the all other traffic coming from the USA. I considered this odd, because most of the content on this site is in English and none of the content is in Russian.

I looked into this a little deeper by reviewing the raw access logs and I found that requests coming from Russian Federation appeared to be trying to hack into the phpGedView portion of this site. I am not sure what they were expecting to find or to do, but after doing a little more research I found the following:

Debian -- Security Information -- DSA-1580-1 phpgedview

It was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error.

Note: this problem was a fundamental design flaw in the interface (API) to connect phpGedView with external programs like content management systems. Resolving this problem was only possible by completely reworking the API, which is not considered appropriate for a security update. Since these are peripheral functions probably not used by the large majority of package users, it was decided to remove these interfaces. If you require that interface nonetheless, you are advised to use a version of phpGedView backported from Debian Lenny, which has a completely redesigned API.

For the stable distribution (etch), this problem has been fixed in version 4.0.2.dfsg-4.

So rather than try and fix the problem, I decided to remove phpGedView for now until I have had more time to research this.

The information that was available on the phpGedView portion of this website has always been available (duplicated) in another part of the site which can be found by going to Genealogy. The alternate location is actually more up-to-date than was the phpGedView section.