Geeklog Multiple Versions Vulnerabilities ------ PRODUCT: Geeklog VENDOR: Geeklog VULNERABLE VERSIONS: - 2.x ( TESTED ) (T.I.N.P) - 1.x ( TESTED ) (T.I.N.P) - And older versions possible affected too. NO VULNERABLE VERSIONS - ? --------------------- N.TED = Not Tested in a Real Site / Production Site T.I.N.P = Tested in Non Production Environment ____________ Description: --------------------------------------------- |SECURITY HOLES FOUND and PROOFS OF CONCEPT:| --------------------------------------------- I found XSS and SQL Injection vulnerabilities in the Geeklog Content Management System. The XSS can be used for stole authentication data and cookies, and , in some conditions you can deface the website homepage. The SQL Injections can be used for hack the backend database and modify/read/delete/stole data in the backend database. I found some security holes ( miscelaneous ). --------- | XSS | --------- I found XSS holes: You can send code to the Shoutbox system for be displayed... IN THE HOME PAGE !!! This is the most important bug that i discovered in geeklog because any user ( not authenticated ) can send messages to shoutbox and these messages will be displayed in the home page of the cms in a block. - Proof of Concept: - insert your code into the text box under the shoutbox block and press Shout it ! thats all. Another XSS: http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE] http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE] Its very possible that other files using lid variable are vulnerable to this and SQL Injection attacks. ------------------ | SQL INJECTIONS | ------------------ I found some SQL injections : http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE] http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION CODE] http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE] http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE] http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE] http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION CODE] http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL INJECTION CODE] http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE] With this you can perform malformed sql queries for access privileged information such as passwords ( md5 hashes ), email addresses... --------------- | MISCELANEoUS| --------------- _____________ IP Detection -> _____________ Geeklog only detects ips in front of a proxy , if you are behind a proxy , geeklog's logs , scripts will be logging the proxy ip. This can be patched by using HTTP_X_FORWARDED_FOR detection like: and calling it from the main ip variable like: $ip = seeyou(); ________________________ Automatic IP Blocking -> ________________________ I'm suggesting this to the Geeklog development team . Instead of logging facilities use a proactive system for deny ips of attackers in real time. I explain it: An attacker checks those SQL Injection vulnerabilities. Uses on or more possible bugs and the system adds this attempts to the database: -KIDDIE-> - IP -> uses seeyou() routine for detection - ATTEMPTS -> COUNT- |_> IF THIS IS x ( F.EX. 3) go to the block routine ------ ------------------------------------------------------------------------- ----| |> Blocking routine: - a file ( F.EX. blockthatsh*t.php ) |________________________________| | | |> This adds an entry to another php file that is included in the common lib that is loaded with all the scripts with: include ("blocked-sh*ts"); |________________________| | blocked-sh*ts.php source : <| Access Blocked

Your Internet Address was blocked in our servers due to incorrect use or improper actions in the servers , if you attempt to access again thi servers , your ISP will be adviced about you.BlockedIPs are:

'."$denyip".'

Take care for be out of this list.Shits smell bad.'); // Nothing to change below this line ------------------ $x = count($denyip); for ($y = 0; $y < $x; $y++) { if ($ip == $denyip[$y]) { exit($blockmsg[$y]); } } ?> And thats all , you need to perform a script for write in the correct form the ips for block . I called this sytem Blahsh*t Guard. This is part of my ( unreleased ) whitepaper "uwahck" : "Using Vulnerable Web Applications for HaCK into Servers " . <en la *st*a ! . 0x02-rkc - no se ni pa que - ahi va ;-). 0x03-CqC Que le den a telecinco , Berlusconi y demás individuos de sci-fi. 0x04-A la chofa , por su musica "angelica" , pobrecilla , con ese bichejo en medio... 0x05-a mrs nadie por su excelente trabajo. NOTE: This is the first time that i write greetings but i want to do it more , it is excelent for the spanish poxo-family. ----------- | CONTACT | ----------- ------------------------------------------------------ Lorenzo Hernandez Garcia-Hierro --- Security Consultant --- ------------------NSRGroup------------------- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** NSRGroup ( No Secure Root Group Security Research Team ) / ( NovaPPC Security Research Group ) http://security.novappc.com ______________________