SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Geeklog Vendors:   Geeklog
(Vendor Issues Fix) Re: Geeklog Web-based Community Portal Software May Let a Remote User Obtain Administrative Priviliges on the Application
SecurityTracker Alert ID:  1003205
SecurityTracker URL:  http://securitytracker.com/id/1003205
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 13 2002
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3
Description:   A vulnerability has been reported in the Geeklog web-based community portal software. A remote user could obtain administrative access to the application in a certain situation.

It is reported that the first new user created after initial installation of Geeklog is, by default, assigned to the GroupAdmin group. As a result, a remote user could obtain administration privileges on the server if they are the first registered user.

It is reported that in a fresh installation, the data includes one orphaned "group_assignments" record with a user ID of 13 but the Geeklog user table only has 12 users in this case. So, the first user that creates an account has access to the GroupAdmin Group and, subsequently, the UserAdmin Group.

Impact:   A remote user could obtain administrative control of the application in a certain situation.
Solution:   The vendor has issued a fixed version (1.3.1), available at the Vendor URL.
Vendor URL:  geeklog.sourceforge.net/index.php?topic=GeekLog (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 5 2002 Geeklog Web-based Community Portal Software May Let a Remote User Obtain Administrative Priviliges on the Application



 Source Message Contents

Subject:  Geeklog fix


[022] - GeekLog 1.3.1
  by Tony Bibbs (http://freshmeat.net/users/tbibbs/)
  Saturday, January 12th 2002 03:11

Internet :: WWW/HTTP Internet :: WWW/HTTP :: Dynamic Content

About: GeekLog is the weblog software that concentrates on performance,
privacy, and security. It features Web-based administration, surveys
(polls), user-customizable boxes, a friendly administration GUI with a
topic manager, an option to edit or delete stories, an option to delete
comments, a search engine, backend/headlines generation (RSS/RDF
format),
calendaring, and much more.

Changes: This release introduces a couple of security fixes including
one
major one, addresses some performance issues, cleans up bugs in the
calendar, adds a "who's online" hack, now tracks user registration date
and
makes some block customizations.

License: GNU General Public License (GPL)

URL: http://freshmeat.net/projects/geeklog/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC