Geeklog 1.7.1 Cross Site Scripting

Geeklog 1.7.1 Cross Site Scripting: Posted Jan 3, 2011; Authored by Aung Khant | Site yehg.net; Geeklog versions 1.7.1 and below suffers from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 1b979762b859d905fddef4be41425f3a8b45b94c6c62eb1b21c221875e6e0457; Download | Favorite | View

Geeklog 1.7.1 Cross Site Scripting

=========================================================
 Geeklog 1.7.1 <= Cross Site Scripting Vulnerability
=========================================================


1. OVERVIEW

The Geeklog was vulnerable to Cross Site Scripting in its
administration backend.


2. BACKGROUND

Geeklog is a PHP/MySQL based application for managing dynamic web content.
"Out of the box", it is a blog engine, or a CMS with support for
comments, trackbacks,
multiple syndication formats, spam protection, and all the other vital
features of such a system.


3. VULNERABILITY DESCRIPTION

User supplied input is not probably sanitized in the "subgroup" and "conf_group"
parameters when the configuration settings are saved in
/admin/configuration.php.
Attackers who manage to get/bypass anti-csrf token (_glsectoken) via
other means can effectively perform XSS against admin users.


4. VERSIONS AFFECTED

1.7.1 and lower


5. PROOF-OF-CONCEPT/EXPLOIT

[Request]

POST /geeklog/admin/configuration.php HTTP/1.1

_glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><script>alert(/XSS/)</script>

[/Request]


6. SOLUTION

Upgrade to 1.7.1sr1


7. VENDOR

Geeklog Development Team
http://www.geeklog.net/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2010-12-31: notified vendor
2011-01-02: vendor released fixed version
2011-01-04: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting
Vendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1
About Geeklog: http://www.geeklog.net/docs/english/#introduction
http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/
http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html

#yehg [2011-01-04]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Geeklog 1.7.1 Cross Site Scripting

Geeklog 1.7.1 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Geeklog 1.7.1 Cross Site Scripting

Share This

Geeklog 1.7.1 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems