-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Geeklog SQL Injection Vulnerability
 Release Date: 2005/07/05
Last Modified: 2005/07/05
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: Geeklog <= 1.3.11
     Severity: An input validation flaw within Geeklog allows
               SQL injection and can lead f.e. to user password
         hash disclosure 
         Risk: High
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory-062005.php


Overview:

   Quote from http://www.geeklog.net
   "Geeklog is a weblog powered by PHP and MySQL. It allows you within
   minutes to set up a fully functioning dynamic website, and has many
   features to get you started. As of Geeklog 1.3, these features are:
   
       * User-system, allowing members of the public to register 
         for your site and submit stories.
       * Comment system, allowing users to comment on posts 
         made to your site.
       * Block system, allowing you to put information anywhere 
         on your site.
       * Plugin system that allows you to extend Geeklog, without 
         having to code any new PHP.
       * Theme system that allows users to select what layout they 
         want to view.
       * Excellent security model that allows you to give users 
         control over certain aspects of the site with no need 
   to worry.
       * Site Statistics that show you the most popular areas 
         of your site.
       * Link system that allows users to add links to the site.
       * Calendar System that lets you and your user add 
         up-and-coming events.
       * Allow users to email stories to their friends."

   An audit of the Geeklog sourcebase has revealed a possible SQL 
   injection, that can f.e. lead to disclosure of a users password
   hash if this user has posted atleast one comment to an article
   and that article having atleast another comment.
   
   If the site admin account is also used for commenting to articles
   this means the admin password hash can be revealed with this hole.
   A possible candidate for this is for example some very popular
   site that documents everything about the SCO vs. World process.


Details:

   The Geeklog 1.3.x codebase is one of the PHP applications, that
   are quite secure, although it was designed to only run with
   register_globals turned on. They initialise their variables,
   filter user input and escape strings before putting them into
   SQL queries.
   
   Nevertheless our audit has revealed a possible SQL injection in 
   the ORDER BY clause of a query that is used to retrieve user 
   comments for a given article. Usually people believe that such an 
   injection is harmless, because MySQL does not allow multi queries 
   and so you can only influence the order of the returned rows.
   
   In this special case however the query performs a JOIN of the 
   comment and the user table, and therefore it is possible to 
   order the retrieved user comments in dependance of date in the
   user table. Such a conditional ORDER BY statement looks like:
   
     ORDER BY (u.uid=1 && (conv(substring(u.pass, 1, 1),16,10)&1))
   
   This example would order all comments of the user with userid 1
   to the end of all retrieved comments, but only if the lowest bit
   of the first nibble of the password hash is set.
   
   With similiar strings it is possible to retrieve the complete
   MD5 hash of the attacked user account, by sending 128 HTTP 
   requests and checking in the returned HTML page if the first 
   (switching search order) comment was written by the user. It
   should be obvious, that this issue is only exploitable if there
   are atleast 2 comments.
   
   The resulting MD5 hash can then be attacked in the usual way,
   to retrieve the users password.
   

Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.


Disclosure Timeline:

   30. June 2005 - Contacted geeklog.net via email
   01. July 2005 - Sent requested POC to vendor 
   03. July 2005 - Vendor releases bugfixed version
                   (and request a disclosure not on 4th July)
   05. July 2005 - Public disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied
   new version 
      
      Geeklog 1.3.11sr1
      http://www.geeklog.net/filemgmt/visit.php?lid=574


Special Note to Secunia:

   You have censored 2 of our 3 Cacti advisories. In both we tried 
   hard to help you guys out with short summaries, because you often 
   have enormous problems with understanding advisories.
   
   Unfortunately we forgot to put such a summary into our 3rd Cacti
   advisory and so it is maybe our responsibility that you made up
   a 2nd bug in the administrative interface of Cacti that allows
   execution of arbitrary commands. In the special secunia summary
   we could have explained to you, that executing arbitrary commands
   as admin is one of the features of Cacti.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCybGJRDkUzAqGSqERAoG7AKDqY38M67H+BI2QWqPUMj8EIbmw4gCgu/2g
3fgr9dlH/jnEKWoZRxXU7m8=
=OaI9
-----END PGP SIGNATURE-----