SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Geeklog Vendors:   Geeklog
Geeklog Input Validation Flaws Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007828
SecurityTracker URL:  http://securitytracker.com/id/1007828
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 28 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.x, 1.x
Description:   Lorenzo Hernandez Garcia-Hierro reported several vulnerabilities in Geeklog. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.

It is reported that several scripts do not properly validate user-supplied input. A remote user can inject SQL commands to be executed on the underlying database. A remote user can exploit this to, for example, obtain e-mail addresses and hashed passwords.

Some demonstration exploit URLs are provided:

http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE]

http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION CODE]

http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE]

http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION CODE]

http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL INJECTION CODE]

http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE]

It is also reported that a remote user can send a message containing HTML code with malicious scripting code to the shoutbox on the main page. A remote user can submit specially crafted HTML. Then, when a target user views the forum, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the vulnerable Geeklog software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can also create a specially crafted URL that, when loaded, will cause arbitrary scripting code to be executed by the target user's browser. Some demonstration exploit cross-site scripting URLs are provided:

http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE]

http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE]

Impact:   A remote user can inject SQL commands to be executed by the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Geeklog software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  geeklog.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Geeklog Multiple Versions Vulnerabilities



Geeklog Multiple Versions Vulnerabilities
------
PRODUCT: Geeklog
VENDOR: Geeklog
VULNERABLE VERSIONS:

        - 2.x ( TESTED ) (T.I.N.P)
        - 1.x ( TESTED ) (T.I.N.P)
        - And older versions possible affected too.

NO VULNERABLE VERSIONS

- ?

---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:



---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

I found XSS and SQL Injection vulnerabilities in the Geeklog
Content Management System.
The XSS can be used for stole authentication data and cookies, and , in some
conditions you can deface the website homepage.
The SQL Injections can be used for hack the backend database and
modify/read/delete/stole data in the backend database.
I found some security holes ( miscelaneous ).
---------
|  XSS  |
---------
I found XSS holes:
You can send code to the Shoutbox system for be displayed... IN THE HOME
PAGE !!!
This is the most important bug that i discovered in geeklog because any user
( not authenticated )
can send messages to shoutbox and these messages will be displayed in the
home page of the cms in a block.
-
Proof of Concept:
-
insert your code into the text box under the shoutbox block and press Shout
it ! thats all.

Another XSS:

http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE]

http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE]

Its very possible that other files using lid variable are vulnerable to this
and SQL Injection attacks.

------------------
| SQL INJECTIONS |
------------------

I found some SQL injections :

http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE]

http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION
CODE]

http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE]

http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION
CODE]

http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL
INJECTION CODE]

http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE]

With this you can perform malformed sql queries for access privileged
information such as passwords ( md5 hashes ),
email addresses...


---------------
| MISCELANEoUS|
---------------
_____________
IP Detection ->
_____________

Geeklog only detects ips in front of a proxy , if you are
behind a proxy , geeklog's logs , scripts will be logging the proxy ip.
This can be patched by using HTTP_X_FORWARDED_FOR detection like:

<?php

/* ------------------------
/  Geeklog possible Hard IP
/  Detection System.
/  Use seeyou() instead of
/  declaring other ip variables.
/  ------------------------
/  by Lorenzo Hernandez G-H
/  ------------------------
*/ ________________________

function seeyou()
{
     if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
             $ip = getenv("HTTP_CLIENT_IP");
         else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
             $ip = getenv("HTTP_X_FORWARDED_FOR");
         else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
             $ip = getenv("REMOTE_ADDR");
         else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
             $ip = $_SERVER['REMOTE_ADDR'];
         else
             $ip = "unknown";
     return($ip);
}

/*-------seeyou()-------*/
/* <<EOF */
// ;-)
// dedicado a Pocholo
// Poxolo for president !
// FIEEEESSSSSSSSTAAAAAAAA

?>

and calling it from the main ip variable like:

$ip = seeyou();

________________________
Automatic IP Blocking ->
________________________

I'm suggesting this to the Geeklog development team .
Instead of logging facilities use a proactive system for deny ips of
attackers in real time.
I explain it:

An attacker checks those SQL Injection vulnerabilities.
Uses on or more possible bugs and the system adds this attempts to the
database:

-KIDDIE->
     - IP       -> uses seeyou() routine for detection
     - ATTEMPTS -> COUNT-
                        |_> IF THIS IS x ( F.EX. 3) go to the block
routine ------
    -------------------------------------------------------------------------
----|
    |> Blocking routine:
                        - a file ( F.EX. blockthatsh*t.php )
                           |________________________________|
                                       |
                                       |
                                       |> This adds an entry to another php
file that is
                                          included in the common lib that is
loaded with
                                          all the scripts with:
                                                                include
("blocked-sh*ts");

|________________________|
                                                                            |
                                        blocked-sh*ts.php source :         <|


<?
/* No Secure Root Group Security Research
/  By Lorenzo Hernandez Garcia-Hierro
/  This is part of the Security Application Server ( unreleased ) by
/  Lorenzo Hernandez Garcia-Hierro
/  ---- Licensed under GPL ----
*/

$denyip = array("202.108.250.",
                 "200.147.47.97",
   "148.221.148.38",
          "80.117.13.97",
   "212.142.214.63",
   "213.97.249.145"
   );

/* IP Detection
// ----------------------
// EXPERIMENTAL IN THIS SCRIPT
// THIS WILL BLOCK IPs USING
// THE "HARD DETECTION ROUTINE
// AND MATCHING THE denyip ARRAY
// -----------------------

function seeyou()
{
     if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
             $ip = getenv("HTTP_CLIENT_IP");
         else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
             $ip = getenv("HTTP_X_FORWARDED_FOR");
         else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
             $ip = getenv("REMOTE_ADDR");
         else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
             $ip = $_SERVER['REMOTE_ADDR'];
         else
             $ip = "unknown";
     return($ip);
}

// -------------------------
// -------END seeyou()-------*/

// For use only with seeyou() routine

// $ip = echoIP();

// Under this you don't need to change nothing.
// ----------------------------------------------

$ip = $_SERVER['REMOTE_ADDR']; // if you want seeyou() routine comment this
and uncomment the another one

$blockmsg = array('<h1>Access Blocked</h1><br><br>Your Internet Address was
blocked in our servers due to incorrect use or improper actions in the
servers , if you attempt to access again thi servers , your ISP will be
adviced about you.BlockedIPs are: <br><br>'."$denyip".'<br><br>Take care for
be out of this list.Shits smell bad.');

// Nothing to change below this line ------------------

$x = count($denyip);

for ($y = 0; $y < $x; $y++) {
   if ($ip == $denyip[$y]) {
      exit($blockmsg[$y]);
   }
}

?>

And thats all , you need to perform a script for write in the correct form
the ips for block .

I called this sytem Blahsh*t Guard.

This is part of my ( unreleased ) whitepaper "uwahck" :

"Using Vulnerable Web Applications for HaCK into Servers " .

<<EOF

---------------
| CONCLUSIONS |
---------------

Geeklog doesn't have an input validation system and you can send
malicious data to the target geeklog installation.
This can be used by attackers for do extremely bad actions in the target
actions.
Geeklog core and modules are completly vulnerable to XSS attacks and SQL
Injection.
Definately Geeklog is not a Geek product ;-) .

for the development team and people going to use the Blahsh*t Guard:

The code is fully experimental and this one of the reasons of SAServer
unreleased.

Send Suggestions to me or join the project trough http://sas.novappc.com .

Greetings to:

0x00-Pocholo , hey , be president , cag_at_(dieresis)_at>en la *st*a ! .
0x02-rkc - no se ni pa que - ahi va ;-).
0x04-A la chofa , por su musica "angelica" , pobrecilla , con ese bichejo en
medio...
0x05-a mrs nadie por su excelente trabajo.

NOTE: This is the first time that i write greetings but i want to do it more
, it is excelent for
the spanish poxo-family.

-----------
| CONTACT |
-----------
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
---       Security Consultant           ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://security.novappc.com
______________________



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC