SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Geeklog Vendors:   Geeklog
Geeklog Weblog Software Input Filtering Bug in 'Stories' and 'Comments' Lets Remote Users Conduct Cross-site Scripting Attacks
SecurityTracker Alert ID:  1004801
SecurityTracker URL:  http://securitytracker.com/id/1004801
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 19 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.5sr1
Description:   An input validation vulnerability was reported in the Geeklog web forum software. A remote user can conduct cross-site scripting attacks against Geeklog users.

It is reported that Geeklog filters out scripting tags but does not filter HTML attributes that can include scripting elements. The 'stories' and 'comments' fields are affected.

A demonstration exploit example is provided:

<b onMouseOver="self.location.href='http://localhost/geeklog/'">life has made her that much bolder now</b>

When a target user reads the Geeklog entry and places the cursor pointer over the specified text, the event will be triggered and the Javascript code will be executed by the target user's browser. The code will originate from the server running Geeklog and will run in the security context of that site. As a result, the code will be able to access the target user's cookies, including authentication cookies, associated with that site (if any), access data recently submitted by the target user via a web form to that site, or take actions on that site acting as the target user.

Also, a carriage return/line feed (CR/LF) injection hole was reported in the 'User Profile: Send Email' function. A remote user can reportedly exploit this flaw to obtain a user's otherwise secret e-mail address. To do so, the remote user can add extra mail headers by inserting into the Subject field a CRLF character combination followed by the extra mail header. If, for example, the inserted header is a 'bcc:' header to the remote user's address, then the intended recipient's address (i.e., the victim's address) will be disclosed when the system sends a blind carbon copy to the remote user at the 'bcc:' address.

Impact:   A remote user can access a target user's cookies, including authentication cookies, (if any) associated with the site running Geeklog, access data recently submitted by the target user via a web form to that site, or take actions on that site acting as the target user.

A remote user can also send mail via the system with extra e-mail headers. This can be used to determine a Geeklog user's e-mail address.

Solution:   The vendor has released a fixed version (1.3.5sr2), available at:

http://geeklog.sourceforge.net/staticpages/index.php?page=20020114085755339
http://prdownloads.sourceforge.net/geeklog/geeklog-1.3.5sr2.tar.gz

Vendor URL:  geeklog.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Geeklog XSS and CRLF Injection


Geeklog XSS and CRLF Injection


PROGRAM: Geeklog
VENDOR: Tony Bibbs et al. <geeklog-devel@lists.sourceforge.net>
HOMEPAGE: http://geeklog.sourceforge.net/
VULNERABLE VERSIONS: 1.3.5sr1, possibly earlier versions as well
NOT VULNERABLE VERSIONS: 1.3.5sr2
LOGIN REQUIRED: no
SEVERITY: high


DESCRIPTION:

"Geeklog is a 'blog', otherwise known as a Weblog. It allows
you to create your own virtual community area, complete with user
administration, story posting, messaging, comments, polls, calendar,
weblinks, and more! It can run on many different operating systems,
and uses PHP4 and MySQL."

(direct quote from the program's homepage)

Geeklog is published under the terms of the GNU General Public
License.


SECURITY HOLES:

1) Geeklog has got an XSS hole that affects both the stories and
the comments. The program removes the HTML elements that are used
for scripting, but it fails to remove the HTML attributes that are
used for the same purpose, which leads to this hole.

One example of an XSS attack would be:

<b onMouseOver="self.location.href='http://localhost/geeklog/'">life
has made her that much bolder now</b>

When a victim moves the mouse pointer over the quote from "Lady
Godiva's Operation", an intrinsic event occurs and the JavaScript
code is executed.

(There is also an XSS issue in the search engine. It was reported

2) Geeklog has got a CRLF Injection hole in User Profile: Send
Email. The users' mail addresses are meant to be secret, but by
using this hole, you can get someone's mail address anyway.

The problem is that you can add extra mail headers, by using a
CRLF combination followed by an extra mail header in the Subject
field. One way to add them is saving the HTML document with the
form, and changing the <input type=text name=subject> tag to a
textarea. After opening the edited document in a web browser, you
enter a Subject line in the textarea, press Enter, and then you
enter your extra mail header. When the mail is sent, that header
will be included. If the header in question is "Bcc: <your own
mail address>", the message will silently be copied to you, thus
revealing the recipient's mail address without them knowing.

I have described this type of problem in further detail
in my "CRLF Injection" paper, which is available at
http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00079.html


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 1st of July. Version 1.3.5sr2,
which does not have any of these security holes (neither mine nor


RECOMMENDATION:

I recommend that all administrators upgrade to version 1.3.5sr2.


// Ulf Harnhammar
ulfh@update.uu.se

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC