Geeklog Web-based Community Portal Software May Let a Remote User Obtain Administrative Priviliges on the Application
SecurityTracker Alert ID: 1003117|
SecurityTracker URL: http://securitytracker.com/id/1003117
(Links to External Site)
Date: Jan 5 2002
User access via network|
A vulnerability has been reported in the Geeklog web-based community portal software. A remote user could obtain administrative access to the application in a certain situation.|
It is reported that the first new user created after initial installation of Geeklog is, by default, assigned to the GroupAdmin group. As a result, a remote user could obtain administration privileges on the server if they are the first registered user.
It is reported that in a fresh installation, the data includes one orphaned "group_assignments" record with a user ID of 13 but the Geeklog user table only has 12 users in this case. So, the first user that creates an account has access to the GroupAdmin Group and, subsequently, the UserAdmin Group.
A remote user could obtain administrative control of the application in a certain situation.|
The vendor has issued a method for fixing this flaw. The flaw only applies to fresh installations of Geeklog.|
"If you have already installed a fresh version of Geeklog 1.3 then you need to edit the user with a uid of 13. To get that, do a "SELECT username FROM users WHERE uid = 13" in your favorite MySQL editor. Then in the admin/users.php page edit that user and uncheck both the GroupAdmin Group AND the UserAdmin Group and be sure to leave the Normal User and Logged-in User boxes checked."
Vendor URL: geeklog.sourceforge.net/index.php?topic=GeekLog (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Vulnerability in new user creation in Geeklog 1.3|
I have discovered a serious security flaw with new user creation in the
latest version of Geeklog--Version 1.3 on December 30th, 2001.
Product Information: Geeklog is a popular weblog. It allows you to
create your own virtual community area, complete with user
administration, story posting, messaging, and other nice features.
Vulnerability: When the first, new user is created during a fresh
installation of Geeklog, that regular user is assigned to the GroupAdmin
Group, and subsequently, is a member of the UserAdmin Group. This is a
major issue, because if the website is rolled out to the public, in
theory, the first new user registered would have Admin rights, which
would allow the new user to have control over Geeklog, and subsequently,
the entire website.
I have submitted a bug report to the author, in order to give him ample
time in fixing this issue. It has been fixed, and posted today at the
geeklog website at http://www.geeklog.org
Fix: Per Geeklog's website: If you already have installed a fresh
version of Geeklog 1.3 then you need to edit the user with a uid of 13.
To get that, do a "SELECT username FROM users WHERE uid = 13" in your
favorite MySQL editor. Then in the admin/users.php page edit that user
and uncheck both the GroupAdmin Group AND the UserAdmin Group and be
sure to leave the Normal User and Logged-in User boxes checked.
Sr. Information Security Analyst
Security Product Services
Corporate Information Protection
-----BEGIN GEEK CODE BLOCK-----
GE d-(++) s+:++>s+:- a27>-- C++++ UBLS++++$ P+>+++++ L++++$ E---- W++ N
o? K? w O(-) M-(--) V->V PS---(+) PE--(PE) Y+(Y) PGP++ t 5 X R(+) tv+
b>+++ DI+++ D+ G-- e* h---- r++++ y?
------END GEEK CODE BLOCK------