Re: Geeklog Multiple Versions Vulnerabilities
I would like to note that this disclosure was released with NO attempt made
to contact the Authors before hand.
-----
Chris Kulish
Systems Engineer
ING Advisors Network
chris.kulish@xxxxxxxxxx
Ph. 515.698.7583
Fx. 515.698.3583
"There's more to living than only surviving"
"Maybe I'm not there, but I'm still trying"
-- The Offspring
-----
"Lorenzo
Hernandez To: Bugtraq
<bugtraq@xxxxxxxxxxxxxxxxx>
Garcia-Hierro" cc:
full-disclosure@xxxxxxxxxxxxxxxx, SecurityTracker
<novappc@novappc. <bugs@xxxxxxxxxxxxxxxxxxx>,
(bcc: Chris Kulish/BDN/ING-FSI-NA)
com> Subject: Re: Geeklog Multiple
Versions Vulnerabilities
09/28/2003 06:10
AM
Geeklog Multiple Versions Vulnerabilities
------
PRODUCT: Geeklog
VENDOR: Geeklog
VULNERABLE VERSIONS:
- 2.x ( TESTED ) (T.I.N.P)
- 1.x ( TESTED ) (T.I.N.P)
- And older versions possible affected too.
NO VULNERABLE VERSIONS
- ?
---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:
---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------
I found XSS and SQL Injection vulnerabilities in the Geeklog
Content Management System.
The XSS can be used for stole authentication data and cookies, and , in
some
conditions you can deface the website homepage.
The SQL Injections can be used for hack the backend database and
modify/read/delete/stole data in the backend database.
I found some security holes ( miscelaneous ).
---------
| XSS |
---------
I found XSS holes:
You can send code to the Shoutbox system for be displayed... IN THE HOME
PAGE !!!
This is the most important bug that i discovered in geeklog because any
user
( not authenticated )
can send messages to shoutbox and these messages will be displayed in the
home page of the cms in a block.
-
Proof of Concept:
-
insert your code into the text box under the shoutbox block and press Shout
it ! thats all.
Another XSS:
http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE]
http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE]
Its very possible that other files using lid variable are vulnerable to
this
and SQL Injection attacks.
------------------
| SQL INJECTIONS |
------------------
I found some SQL injections :
http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE]
http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION
CODE]
http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE]
http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE]
http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE]
http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION
CODE]
http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL
INJECTION CODE]
http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE]
With this you can perform malformed sql queries for access privileged
information such as passwords ( md5 hashes ),
email addresses...
---------------
| MISCELANEoUS|
---------------
_____________
IP Detection ->
_____________
Geeklog only detects ips in front of a proxy , if you are
behind a proxy , geeklog's logs , scripts will be logging the proxy ip.
This can be patched by using HTTP_X_FORWARDED_FOR detection like:
<?php
/* ------------------------
/ Geeklog possible Hard IP
/ Detection System.
/ Use seeyou() instead of
/ declaring other ip variables.
/ ------------------------
/ by Lorenzo Hernandez G-H
/ ------------------------
*/ ________________________
function seeyou()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}
/*-------seeyou()-------*/
/* <<EOF */
// ;-)
// dedicado a Pocholo
// Poxolo for president !
// FIEEEESSSSSSSSTAAAAAAAA
?>
and calling it from the main ip variable like:
$ip = seeyou();
________________________
Automatic IP Blocking ->
________________________
I'm suggesting this to the Geeklog development team .
Instead of logging facilities use a proactive system for deny ips of
attackers in real time.
I explain it:
An attacker checks those SQL Injection vulnerabilities.
Uses on or more possible bugs and the system adds this attempts to the
database:
-KIDDIE->
- IP -> uses seeyou() routine for detection
- ATTEMPTS -> COUNT-
|_> IF THIS IS x ( F.EX. 3) go to the block
routine ------
-------------------------------------------------------------------------
----|
|> Blocking routine:
- a file ( F.EX. blockthatsh*t.php )
|________________________________|
|
|
|> This adds an entry to another php
file that is
included in the common lib that is
loaded with
all the scripts with:
include
("blocked-sh*ts");
|________________________|
|
blocked-sh*ts.php source :
<|
<?
/* No Secure Root Group Security Research
/ By Lorenzo Hernandez Garcia-Hierro
/ This is part of the Security Application Server ( unreleased ) by
/ Lorenzo Hernandez Garcia-Hierro
/ ---- Licensed under GPL ----
*/
$denyip = array("202.108.250.",
"200.147.47.97",
"148.221.148.38",
"80.117.13.97",
"212.142.214.63",
"213.97.249.145"
);
/* IP Detection
// ----------------------
// EXPERIMENTAL IN THIS SCRIPT
// THIS WILL BLOCK IPs USING
// THE "HARD DETECTION ROUTINE
// AND MATCHING THE denyip ARRAY
// -----------------------
function seeyou()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}
// -------------------------
// -------END seeyou()-------*/
// For use only with seeyou() routine
// $ip = echoIP();
// Under this you don't need to change nothing.
// ----------------------------------------------
$ip = $_SERVER['REMOTE_ADDR']; // if you want seeyou() routine comment this
and uncomment the another one
$blockmsg = array('<h1>Access Blocked</h1><br><br>Your Internet Address was
blocked in our servers due to incorrect use or improper actions in the
servers , if you attempt to access again thi servers , your ISP will be
adviced about you.BlockedIPs are: <br><br>'."$denyip".'<br><br>Take care
for
be out of this list.Shits smell bad.');
// Nothing to change below this line ------------------
$x = count($denyip);
for ($y = 0; $y < $x; $y++) {
if ($ip == $denyip[$y]) {
exit($blockmsg[$y]);
}
}
?>
And thats all , you need to perform a script for write in the correct form
the ips for block .
I called this sytem Blahsh*t Guard.
This is part of my ( unreleased ) whitepaper "uwahck" :
"Using Vulnerable Web Applications for HaCK into Servers " .
<<EOF
---------------
| CONCLUSIONS |
---------------
Geeklog doesn't have an input validation system and you can send
malicious data to the target geeklog installation.
This can be used by attackers for do extremely bad actions in the target
actions.
Geeklog core and modules are completly vulnerable to XSS attacks and SQL
Injection.
Definately Geeklog is not a Geek product ;-) .
for the development team and people going to use the Blahsh*t Guard:
The code is fully experimental and this one of the reasons of SAServer
unreleased.
Send Suggestions to me or join the project trough http://sas.novappc.com .
Greetings to:
0x00-Pocholo , hey , be president , cag_at_(dieresis)_at>en la *st*a ! .
0x02-rkc - no se ni pa que - ahi va ;-).
0x03-CqC Que le den a telecinco , Berlusconi y demás individuos de sci-fi.
0x04-A la chofa , por su musica "angelica" , pobrecilla , con ese bichejo
en
medio...
0x05-a mrs nadie por su excelente trabajo.
NOTE: This is the first time that i write greetings but i want to do it
more
, it is excelent for
the spanish poxo-family.
-----------
| CONTACT |
-----------
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
--- Security Consultant ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://security.novappc.com
______________________