I have discovered a serious security flaw with new user creation in the latest version of Geeklog--Version 1.3 on December 30th, 2001. Product Information: Geeklog is a popular weblog. It allows you to create your own virtual community area, complete with user administration, story posting, messaging, and other nice features. Vulnerability: When the first, new user is created during a fresh installation of Geeklog, that regular user is assigned to the GroupAdmin Group, and subsequently, is a member of the UserAdmin Group. This is a major issue, because if the website is rolled out to the public, in theory, the first new user registered would have Admin rights, which would allow the new user to have control over Geeklog, and subsequently, the entire website. I have submitted a bug report to the author, in order to give him ample time in fixing this issue. It has been fixed, and posted today at the geeklog website at http://www.geeklog.org Fix: Per Geeklog's website: If you already have installed a fresh version of Geeklog 1.3 then you need to edit the user with a uid of 13. To get that, do a "SELECT username FROM users WHERE uid = 13" in your favorite MySQL editor. Then in the admin/users.php page edit that user and uncheck both the GroupAdmin Group AND the UserAdmin Group and be sure to leave the Normal User and Logged-in User boxes checked. -- Regards, Woody Hughes Sr. Information Security Analyst Security Product Services Corporate Information Protection Wells Fargo ------------------------------- woody@thewoodman.org -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GE d-(++) s+:++>s+:- a27>-- C++++ UBLS++++$ P+>+++++ L++++$ E---- W++ N o? K? w O(-) M-(--) V->V PS---(+) PE--(PE) Y+(Y) PGP++ t 5 X R(+) tv+ b>+++ DI+++ D+ G-- e* h---- r++++ y? ------END GEEK CODE BLOCK------ http://www.geekcode.com
