|
Geeklog Admin Access and Execution of Arbitrary Code
|
|
Secunia Advisory:
|
SA8895
|
|
|
Release Date:
|
2003-05-30
|
|
Popularity:
|
5,925 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Geeklog 1.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Two vulnerabilities have been identified in Geeklog. One allowing anyone to become a user and escalate their privileges to admin, the other allowing upload of arbitrary code.
1) The first problem is that user sessions isn't verified properly. It is possible to fool Geeklog into creating a valid user session by supplying an invalid userid. The check performed only verifies that the supplied password and the stored password is the same and not if they are NULL.
This problem can be exploited further, by supplying a userid with a floating point value e.g. "2.1" the stored password will be NULL because the user "2.1" doesn't exist, however, when the session is stored in the database the userid will be "2" because the field type is an integer.
2) The other problem is that the upload function allows malicious users to upload any file type including ".php" files.
These vulnerabilities have been identified in version 1.3.7sr1 and earlier.
Solution:
Version 1.3.7sr2 is not vulnerable to these issues.
Provided and/or discovered by:
pokleyzz
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
