bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
83 lines
No EOL
4.6 KiB
Text
83 lines
No EOL
4.6 KiB
Text
Geeklog Multiple Vulnerabilities
|
|
|
|
Vendor: Geeklog
|
|
Product: Geeklog
|
|
Version: <= 1.4.0
|
|
Website: http://www.geeklog.net/
|
|
|
|
BID: 16755
|
|
CVE: CVE-2006-0823
|
|
OSVDB: 23348 23349
|
|
SECUNIA: 18920
|
|
PACKETSTORM: 44070
|
|
|
|
Description:
|
|
Geeklog is one of the most popular content management systems available today. Geeklog unfortunately is vulnerable to a number of different attacks such as SQL Injection, and arbitrary file inclusion. These attacks can be combined to ultimately execute code on the vulnerable web server in a very reliable manner. According to the developers these issues affect pretty much every version of Geeklog ever released, so users are strongly encouraged to upgrade to the latest version of Geeklog which is Geeklog 1.4.0sr1 and 1.3.11sr4
|
|
|
|
|
|
SQL Injection:
|
|
Geeklog is vulnerable to a number of SQL Injection attacks due to improperly handling user supplied GPC data.
|
|
|
|
$userid = $_COOKIE[$_CONF['cookie_name']];
|
|
if (empty ($userid) || ($userid == 'deleted')) {
|
|
unset ($userid);
|
|
} else {
|
|
if ($VERBOSE) {
|
|
COM_errorLog('NOW trying to set permanent cookie',1);
|
|
COM_errorLog('Got '.$userid.' from perm cookie in users.php',1);
|
|
}
|
|
if ($userid) {
|
|
$user_logged_in = 1;
|
|
// Create new session
|
|
$userdata = SESS_getUserDataFromId($userid);
|
|
$_USER = $userdata;
|
|
if ($VERBOSE) {
|
|
COM_errorLog('Got '.$_USER['username'].' for the username in user.php',1);
|
|
}
|
|
}
|
|
}
|
|
|
|
The above code is taken from users.php @ lines 896-913. This bit of code is vulnerable to SQL Injection because it passes the $userid variable, whose value comes from a cookie var, to the SESS_getUserDataFromId function located in lib-sessions.php @ lines 445-463. The $userid variable is never sanitized once inside the function and is eventually used in a query. While we have our attention focused on lib-sessions.php let's take a look at the function SESS_sessionCheck() which is called on nearly every page to check authentication.
|
|
|
|
$sessid = $_COOKIE[$_CONF['cookie_session']];
|
|
if ($_SESS_VERBOSE) {
|
|
COM_errorLog("got $sessid as the session id from lib-sessions.php",1);
|
|
}
|
|
|
|
$userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'],
|
|
$_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
|
|
|
|
if ($_SESS_VERBOSE) {
|
|
COM_errorLog("Got $userid as User ID from the session ID",1);
|
|
}
|
|
|
|
The above code is taken from lib-sessions.php @ lines 98-107 As you can see, the unsanitized variable $sessid is passed to the SESS_getUserIdFromSession() function where it will be used in a query. These SQL injection issues can be very dangerous, because not only is SQL Injection possible, but SQL Errors are outputted to error.log making code execution via file inclusion very easy, and reliable to exploit.
|
|
|
|
|
|
Arbitrary File Access:
|
|
There are a number of arbitrary file access vulnerabilities in Geeklog which can allow for an attacker to read arbitrary files, include arbitrary files, and ultimately execute code on the underlying web server. In lib-common.php @ lines 245 through 275 we see a bit of code that allows an attacker to specify an arbitrary local directory. If that directory exists (e.g. /home/attacker/) then an attacker would then be able to have certain files within that directory, for example "functions.php" included within Geeklog, and possibly execute arbitrary code. Also, within lib-common is an even easier to exploit issue with the way Geeklog loads languages.
|
|
if( isset( $_COOKIE[$_CONF['cookie_language']]) && empty( $_USER['language'] ))
|
|
{
|
|
if( is_file( $_CONF['path_language'] . $_COOKIE[$_CONF['cookie_language']] . '.php' ))
|
|
{
|
|
$_USER['language'] = $_COOKIE[$_CONF['cookie_language']];
|
|
$_CONF['language'] = $_COOKIE[$_CONF['cookie_language']];
|
|
}
|
|
}
|
|
else if( !empty( $_USER['language'] ))
|
|
{
|
|
if( is_file( $_CONF['path_language'] . $_USER['language'] . '.php' ))
|
|
{
|
|
$_CONF['language'] = $_USER['language'];
|
|
}
|
|
}
|
|
|
|
The above code is taken from lib-common.php @ lines 298-312 and shows us that we can load any file we want on the local server. If an attacker uses the previously mentioned SQL Injection issues to create an error that includes php code, then they can have that code easily included and executed by specifying the relative path to the error.log within the cookie's language parameter.
|
|
|
|
|
|
Solution:
|
|
Special thanks to Dirk Haun for a very prompt reply and resolution to these very serious issues. New versions of Geeklog have been released, and users should upgrade as soon as possible.
|
|
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team |