-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Geeklog SQL Injection Vulnerability Release Date: 2005/07/05 Last Modified: 2005/07/05 Author: Stefan Esser [sesser@hardened-php.net] Application: Geeklog <= 1.3.11 Severity: An input validation flaw within Geeklog allows SQL injection and can lead f.e. to user password hash disclosure Risk: High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-062005.php Overview: Quote from http://www.geeklog.net "Geeklog is a weblog powered by PHP and MySQL. It allows you within minutes to set up a fully functioning dynamic website, and has many features to get you started. As of Geeklog 1.3, these features are: * User-system, allowing members of the public to register for your site and submit stories. * Comment system, allowing users to comment on posts made to your site. * Block system, allowing you to put information anywhere on your site. * Plugin system that allows you to extend Geeklog, without having to code any new PHP. * Theme system that allows users to select what layout they want to view. * Excellent security model that allows you to give users control over certain aspects of the site with no need to worry. * Site Statistics that show you the most popular areas of your site. * Link system that allows users to add links to the site. * Calendar System that lets you and your user add up-and-coming events. * Allow users to email stories to their friends." An audit of the Geeklog sourcebase has revealed a possible SQL injection, that can f.e. lead to disclosure of a users password hash if this user has posted atleast one comment to an article and that article having atleast another comment. If the site admin account is also used for commenting to articles this means the admin password hash can be revealed with this hole. A possible candidate for this is for example some very popular site that documents everything about the SCO vs. World process. Details: The Geeklog 1.3.x codebase is one of the PHP applications, that are quite secure, although it was designed to only run with register_globals turned on. They initialise their variables, filter user input and escape strings before putting them into SQL queries. Nevertheless our audit has revealed a possible SQL injection in the ORDER BY clause of a query that is used to retrieve user comments for a given article. Usually people believe that such an injection is harmless, because MySQL does not allow multi queries and so you can only influence the order of the returned rows. In this special case however the query performs a JOIN of the comment and the user table, and therefore it is possible to order the retrieved user comments in dependance of date in the user table. Such a conditional ORDER BY statement looks like: ORDER BY (u.uid=1 && (conv(substring(u.pass, 1, 1),16,10)&1)) This example would order all comments of the user with userid 1 to the end of all retrieved comments, but only if the lowest bit of the first nibble of the password hash is set. With similiar strings it is possible to retrieve the complete MD5 hash of the attacked user account, by sending 128 HTTP requests and checking in the returned HTML page if the first (switching search order) comment was written by the user. It should be obvious, that this issue is only exploitable if there are atleast 2 comments. The resulting MD5 hash can then be attacked in the usual way, to retrieve the users password. Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 30. June 2005 - Contacted geeklog.net via email 01. July 2005 - Sent requested POC to vendor 03. July 2005 - Vendor releases bugfixed version (and request a disclosure not on 4th July) 05. July 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the vendor supplied new version Geeklog 1.3.11sr1 http://www.geeklog.net/filemgmt/visit.php?lid=574 Special Note to Secunia: You have censored 2 of our 3 Cacti advisories. In both we tried hard to help you guys out with short summaries, because you often have enormous problems with understanding advisories. Unfortunately we forgot to put such a summary into our 3rd Cacti advisory and so it is maybe our responsibility that you made up a 2nd bug in the administrative interface of Cacti that allows execution of arbitrary commands. In the special secunia summary we could have explained to you, that executing arbitrary commands as admin is one of the features of Cacti. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCybGJRDkUzAqGSqERAoG7AKDqY38M67H+BI2QWqPUMj8EIbmw4gCgu/2g 3fgr9dlH/jnEKWoZRxXU7m8= =OaI9 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/