TITLE:
Geeklog Password Request SQL Injection Vulnerability

SECUNIA ADVISORY ID:
SA10029

VERIFY ADVISORY:
http://www.secunia.com/advisories/10029/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
Geeklog 1.x

DESCRIPTION:
A vulnerability has been reported in Geeklog allowing malicious users
to manipulate SQL queries.

A specific issue has been reported allowing malicious users to change
the password for arbitrary users. This can be done by manipulating
the "reqid" parameter when updating passwords.

The vulnerability has been reported in version 1.3.8.

SOLUTION:
Update to version 1.3.8-1sr2:
http://www.geeklog.net/filemgmt/visit.php?lid=254

REPORTED BY / CREDITS:
Jouko Pynnonen

OTHER REFERENCES:
http://www.geeklog.net/article.php?story=20031014155322658#comments

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web	: http://www.secunia.com/
E-mail	: support@secunia.com
Tel	: +45 7020 5144
Fax	: +45 7020 5145

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://www.secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org

----------------------------------------------------------------------