by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Geeklog 1.4.x Full Path Disclosure vuln.

Geeklog 1.4.x Full Path Disclosure vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.geeklog.net/
affected version:1.4.0 Beta 1 and prior

Product Description:
Geeklog is a Web Portal System for any webmaster. Set it up as a storytelling software, News system, online community or whatever you want your site to be. Each user can submit comments to discuss the articles, similar to Slashdot, only faster and more secure. Features: web based admin, surveys, top page and access stats, user customizable box, friendly admin GUI, option to edit or delete stories, moderation system, customizable HTML blocks, user password encryption and retrieval, search engine, backend/headlines generation, and more. Written 100% in PHP, requires Apache, PHP and MySQL. The over-riding development philosophy for the software is performance, privacy and security.

Vuln. description:
Input passed to the "datestart" and "dateend" parameter in "search.php" isn't properly sanitised before being used in a SQL query. Which may be exploited by attackers to determine the installation path and maybe more:)

example:
/search.php?query=&keyType=phrase&datestart=
%3Cscript%3Er0t&dateend=%3Cscript%3Er0t&topic
=0&type=all&author=0&results=10&mode=search

Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Blogger THEMike told...

This issue is now fixed in CVS, and will be included in any future geeklog releases.

In future, could we please ask that you inform us of any security risks prior to publishing to give us a chance to assess the risk and at least start work on patching any security hole?

Details on our prefered process are here.

FYI, it was not possible to exploit further than full path disclosure with this security issue.

8:21 PM

 
Blogger r0t told...

i canĀ“t 100% decide if can exploit more as only full path disclosure , i had spend 3 minutes for your blog...
Its nice to hear that you had fixed that bug.

1:00 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew