geeklog2.txt

`Geeklog Multiple Versions Vulnerabilities  
------  
PRODUCT: Geeklog  
VENDOR: Geeklog  
VULNERABLE VERSIONS:  
  
- 2.x ( TESTED ) (T.I.N.P)  
- 1.x ( TESTED ) (T.I.N.P)  
- And older versions possible affected too.  
  
NO VULNERABLE VERSIONS  
  
- ?  
  
---------------------  
N.TED = Not Tested in a Real Site / Production Site  
T.I.N.P = Tested in Non Production Environment  
____________  
Description:  
  
  
  
---------------------------------------------  
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|  
---------------------------------------------  
  
I found XSS and SQL Injection vulnerabilities in the Geeklog  
Content Management System.  
The XSS can be used for stole authentication data and cookies, and , in some  
conditions you can deface the website homepage.  
The SQL Injections can be used for hack the backend database and  
modify/read/delete/stole data in the backend database.  
I found some security holes ( miscelaneous ).  
---------  
| XSS |  
---------  
I found XSS holes:  
You can send code to the Shoutbox system for be displayed... IN THE HOME  
PAGE !!!  
This is the most important bug that i discovered in geeklog because any user  
( not authenticated )  
can send messages to shoutbox and these messages will be displayed in the  
home page of the cms in a block.  
-  
Proof of Concept:  
-  
insert your code into the text box under the shoutbox block and press Shout  
it ! thats all.  
  
Another XSS:  
  
http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE]  
  
http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE]  
  
Its very possible that other files using lid variable are vulnerable to this  
and SQL Injection attacks.  
  
------------------  
| SQL INJECTIONS |  
------------------  
  
I found some SQL injections :  
  
http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE]  
  
http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION  
CODE]  
  
http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE]  
  
http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE]  
  
http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE]  
  
http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION  
CODE]  
  
http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL  
INJECTION CODE]  
  
http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE]  
  
With this you can perform malformed sql queries for access privileged  
information such as passwords ( md5 hashes ),  
email addresses...  
  
  
---------------  
| MISCELANEoUS|  
---------------  
_____________  
IP Detection ->  
_____________  
  
Geeklog only detects ips in front of a proxy , if you are  
behind a proxy , geeklog's logs , scripts will be logging the proxy ip.  
This can be patched by using HTTP_X_FORWARDED_FOR detection like:  
  
<?php  
  
/* ------------------------  
/ Geeklog possible Hard IP  
/ Detection System.  
/ Use seeyou() instead of  
/ declaring other ip variables.  
/ ------------------------  
/ by Lorenzo Hernandez G-H  
/ ------------------------  
*/ ________________________  
  
function seeyou()  
{  
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),  
"unknown"))  
$ip = getenv("HTTP_CLIENT_IP");  
else if (getenv("HTTP_X_FORWARDED_FOR") &&  
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))  
$ip = getenv("HTTP_X_FORWARDED_FOR");  
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),  
"unknown"))  
$ip = getenv("REMOTE_ADDR");  
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']  
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))  
$ip = $_SERVER['REMOTE_ADDR'];  
else  
$ip = "unknown";  
return($ip);  
}  
  
/*-------seeyou()-------*/  
/* <<EOF */  
// ;-)  
// dedicado a Pocholo  
// Poxolo for president !  
// FIEEEESSSSSSSSTAAAAAAAA  
  
?>  
  
and calling it from the main ip variable like:  
  
$ip = seeyou();  
  
________________________  
Automatic IP Blocking ->  
________________________  
  
I'm suggesting this to the Geeklog development team .  
Instead of logging facilities use a proactive system for deny ips of  
attackers in real time.  
I explain it:  
  
An attacker checks those SQL Injection vulnerabilities.  
Uses on or more possible bugs and the system adds this attempts to the  
database:  
  
-KIDDIE->  
- IP -> uses seeyou() routine for detection  
- ATTEMPTS -> COUNT-  
|_> IF THIS IS x ( F.EX. 3) go to the block  
routine ------  
-------------------------------------------------------------------------  
----|  
|> Blocking routine:  
- a file ( F.EX. blockthatsh*t.php )  
|________________________________|  
|  
|  
|> This adds an entry to another php  
file that is  
included in the common lib that is  
loaded with  
all the scripts with:  
include  
("blocked-sh*ts");  
  
|________________________|  
|  
blocked-sh*ts.php source : <|  
  
  
<?  
/* No Secure Root Group Security Research  
/ By Lorenzo Hernandez Garcia-Hierro  
/ This is part of the Security Application Server ( unreleased ) by  
/ Lorenzo Hernandez Garcia-Hierro  
/ ---- Licensed under GPL ----  
*/  
  
$denyip = array("202.108.250.",  
"200.147.47.97",  
"148.221.148.38",  
"80.117.13.97",  
"212.142.214.63",  
"213.97.249.145"  
);  
  
/* IP Detection  
// ----------------------  
// EXPERIMENTAL IN THIS SCRIPT  
// THIS WILL BLOCK IPs USING  
// THE "HARD DETECTION ROUTINE  
// AND MATCHING THE denyip ARRAY  
// -----------------------  
  
function seeyou()  
{  
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),  
"unknown"))  
$ip = getenv("HTTP_CLIENT_IP");  
else if (getenv("HTTP_X_FORWARDED_FOR") &&  
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))  
$ip = getenv("HTTP_X_FORWARDED_FOR");  
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),  
"unknown"))  
$ip = getenv("REMOTE_ADDR");  
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']  
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))  
$ip = $_SERVER['REMOTE_ADDR'];  
else  
$ip = "unknown";  
return($ip);  
}  
  
// -------------------------  
// -------END seeyou()-------*/  
  
// For use only with seeyou() routine  
  
// $ip = echoIP();  
  
// Under this you don't need to change nothing.  
// ----------------------------------------------  
  
$ip = $_SERVER['REMOTE_ADDR']; // if you want seeyou() routine comment this  
and uncomment the another one  
  
$blockmsg = array('<h1>Access Blocked</h1><br><br>Your Internet Address was  
blocked in our servers due to incorrect use or improper actions in the  
servers , if you attempt to access again thi servers , your ISP will be  
adviced about you.BlockedIPs are: <br><br>'."$denyip".'<br><br>Take care for  
be out of this list.Shits smell bad.');  
  
// Nothing to change below this line ------------------  
  
$x = count($denyip);  
  
for ($y = 0; $y < $x; $y++) {  
if ($ip == $denyip[$y]) {  
exit($blockmsg[$y]);  
}  
}  
  
?>  
  
And thats all , you need to perform a script for write in the correct form  
the ips for block .  
  
I called this sytem Blahsh*t Guard.  
  
This is part of my ( unreleased ) whitepaper "uwahck" :  
  
"Using Vulnerable Web Applications for HaCK into Servers " .  
  
<<EOF  
  
---------------  
| CONCLUSIONS |  
---------------  
  
Geeklog doesn't have an input validation system and you can send  
malicious data to the target geeklog installation.  
This can be used by attackers for do extremely bad actions in the target  
actions.  
Geeklog core and modules are completly vulnerable to XSS attacks and SQL  
Injection.  
Definately Geeklog is not a Geek product ;-) .  
  
for the development team and people going to use the Blahsh*t Guard:  
  
The code is fully experimental and this one of the reasons of SAServer  
unreleased.  
  
Send Suggestions to me or join the project trough http://sas.novappc.com .  
  
Greetings to:  
  
0x00-Pocholo , hey , be president , cag_at_(dieresis)_at>en la *st*a ! .  
0x02-rkc - no se ni pa que - ahi va ;-).  
0x03-CqC Que le den a telecinco , Berlusconi y demás individuos de sci-fi.  
0x04-A la chofa , por su musica "angelica" , pobrecilla , con ese bichejo en  
medio...  
0x05-a mrs nadie por su excelente trabajo.  
  
NOTE: This is the first time that i write greetings but i want to do it more  
, it is excelent for  
the spanish poxo-family.  
  
-----------  
| CONTACT |  
-----------  
------------------------------------------------------  
Lorenzo Hernandez Garcia-Hierro  
--- Security Consultant ---  
------------------NSRGroup-------------------  
PGP: Keyfingerprint  
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2  
ID: 0x9C38E1D7  
**********************************  
NSRGroup  
( No Secure Root Group Security Research Team ) /  
( NovaPPC Security Research Group )  
http://security.novappc.com  
______________________  
  
`