Geeklog Web Portal Software Permits Cross-Site Scripting Attacks and May Allow Remote Users to Execute Arbitrary SQL Commands on the Database Server
SecurityTracker Alert ID: 1004499|
SecurityTracker URL: http://securitytracker.com/id/1004499
(Links to External Site)
Date: Jun 10 2002
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 1.3.5, 1.3.5rc1, and prior versions|
Several vulnerabilities have been reported in the Geeklog web portal software. A remote user may be able to inject SQL commands to be executed by the underlying database server. Also, a remote user can conduct cross-site scripting attacks.|
ALPER Research Labs reported that the user-supplied '$url' variable submitted for administrator review with a new Calendar Event is not filtered. A remote user can submit HTML containing malcious scripting code in this variable to cause the arbitrary scripting code to be executed by the administrator's web browser. This code will appear to originate from the Geeklog site and will run in the security context of that site. As a result, the scripting code will be able to access the administrator's cookies associated with the site.
A demonstration exploit value is provided:
Also, a remote user can create a malicious link using the 'index.php' or 'comment.php' scripts to cause a similar cross-site scripting condition. The following demonstration exploit URLs are provided:
Finally, it is reported that the '$pid' variable is directly passed to the underlying SQL server. This allows a remote user to create a URL that will inject SQL commands to be executed by the database server. A demonstration exploit URL is provided:
According to the report, the "Magic Quotes" function of PHP will escape the quoting characters, possibly reducing the impact of this flaw. However, if the "Magic Quotes" feature is not enabled, a remote user could cause arbitrary SQL commands to be executed. This could allow a remote user to obtain all available information about Geeklog users from the database.
A remote user could cause arbitrary scripting code to be executed on a Geeklog user's or administrator's browser to steal their authentication cookies.|
A remote user could inject arbitrary SQL commands to obtain information about Geeklog users from the database.
The vendor has released a fixed version (1.3.5sr1), available at:|
You can read more about this issue at:
Vendor URL: geeklog.sourceforge.net/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: [ARL02-A13] Multiple Security Issues in GeekLog|
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A13 ----/----------/+
+/-----------\----- firstname.lastname@example.org ---/-----------/+
Name : Multiple Security Issues in GeekLog
Software Package : GeekLog
Vendor Homepage : http://geeklog.sourceforge.net/
Vulnerable Versions: v1.3.5, v1.3.5rc1 and older
Platforms : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted : 31/05/2002
Vendor Replied : 01/06/2002
Prior Problems : N/A
Current Version : v1.3.5rc1 (vulnerable)
GeekLog is a web content management system suitable for
running full-featured community sites. It supports article
posting, threaded comments, event scheduling, and link
management and is built around a design philosophy that
emphasizes ease of use.
I have found these issues while testing the GeekLog system
which was to be used at http://www.olympos.org, "Olympos
Turkish Security Portal".
2 different types of Cross Site Scripting issues, plus
1 SQL Injection vulnerability was found in GeekLog.
1. When any user sends a new Calender Event, the form is submitted
to the site admin for approval. The $url variable, which holds the
data given in the "Link" section of the form, is not filtered for
malicious code. So a malicious user may get the cookie of the site
administrator and therefore "own" the site.
Also this issue may be exploited to run malicious code on the GeekLog
Proof-of-concept Link input ($url):
2. Maliciously crafted links from third party sites may allow Cross
Site Scripting attacks via "index.php" and/or "comment.php".
Two examples for this;
3. The $pid variable is directly passed to SQL input. This makes it
possible for attackers to launch SQL injection attacks.
As the "Magic Quotes" function of PHP escapes the quoting characters,
this third issue might just cause "light" headaches, but if the "Magic
Quotes" is not active, the attacker may be able to get all the information
about users from the SQL tables.
The vendor replied and acted quickly.
A patch or a new version pointing this issue will
soon be available via CVS or a FTP download from:
The development team of GeekLog said that; they will
be cleaning out the code for similar security issues,
which were mentioned above.
Discovered on 31, May, 2002 by
Ahmet Sabri ALPER <email@example.com>
ALPER Research Labs.
The ALPER Research Labs. [ARL] workers are freelancer
security professionals and WhiteHat hackers. The ARL
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting
possible security issues in GPL or any other Public Licensed
Product Web Page: http://geeklog.sourceforge.net/