SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Geeklog Vendors:   Geeklog
(Vendor Issues Fix) Re: Geeklog Community Portal Software Allows Remote Users to Access Other User Accounts
SecurityTracker Alert ID:  1003204
SecurityTracker URL:  http://securitytracker.com/id/1003204
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 13 2002
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3
Description:   An authentication vulnerability was reported in Geeklog. In the default configuration, a remote user with an account on the application can log in as another user.

It is reported that when permanent cookies are enabled (the default configuration), Geeklog creates and stores a user's UID in a cookie after successful authentication. The cookie is subsequently used by the server to authenticate a user. A remote user can modify the UID in their cookie to gain access to another user's account, including an administrator's account.

Impact:   A remote user with an account on the system can log in as any other user.
Solution:   The vendor has issued a fixed version (1.3.1), available at the Vendor URL.
Vendor URL:  geeklog.sourceforge.net/index.php?topic=GeekLog (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 10 2002 Geeklog Community Portal Software Allows Remote Users to Access Other User Accounts



 Source Message Contents

Subject:  Geeklog fix


[022] - GeekLog 1.3.1
  by Tony Bibbs (http://freshmeat.net/users/tbibbs/)
  Saturday, January 12th 2002 03:11

Internet :: WWW/HTTP Internet :: WWW/HTTP :: Dynamic Content

About: GeekLog is the weblog software that concentrates on performance,
privacy, and security. It features Web-based administration, surveys
(polls), user-customizable boxes, a friendly administration GUI with a
topic manager, an option to edit or delete stories, an option to delete
comments, a search engine, backend/headlines generation (RSS/RDF
format),
calendaring, and much more.

Changes: This release introduces a couple of security fixes including
one
major one, addresses some performance issues, cleans up bugs in the
calendar, adds a "who's online" hack, now tracks user registration date
and
makes some block customizations.

License: GNU General Public License (GPL)

URL: http://freshmeat.net/projects/geeklog/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC