Geeklog 1.7.1 Cross Site Scripting

2011-01-03T00:00:00
ID PACKETSTORM:97221
Type packetstorm
Reporter Aung Khant
Modified 2011-01-03T00:00:00

Description

                                        
                                            `=========================================================  
Geeklog 1.7.1 <= Cross Site Scripting Vulnerability  
=========================================================  
  
  
1. OVERVIEW  
  
The Geeklog was vulnerable to Cross Site Scripting in its  
administration backend.  
  
  
2. BACKGROUND  
  
Geeklog is a PHP/MySQL based application for managing dynamic web content.  
"Out of the box", it is a blog engine, or a CMS with support for  
comments, trackbacks,  
multiple syndication formats, spam protection, and all the other vital  
features of such a system.  
  
  
3. VULNERABILITY DESCRIPTION  
  
User supplied input is not probably sanitized in the "subgroup" and "conf_group"  
parameters when the configuration settings are saved in  
/admin/configuration.php.  
Attackers who manage to get/bypass anti-csrf token (_glsectoken) via  
other means can effectively perform XSS against admin users.  
  
  
4. VERSIONS AFFECTED  
  
1.7.1 and lower  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
[Request]  
  
POST /geeklog/admin/configuration.php HTTP/1.1  
  
_glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><script>alert(/XSS/)</script>  
  
[/Request]  
  
  
6. SOLUTION  
  
Upgrade to 1.7.1sr1  
  
  
7. VENDOR  
  
Geeklog Development Team  
http://www.geeklog.net/  
  
  
8. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2010-12-31: notified vendor  
2011-01-02: vendor released fixed version  
2011-01-04: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting  
Vendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1  
About Geeklog: http://www.geeklog.net/docs/english/#introduction  
http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/  
http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html  
  
#yehg [2011-01-04]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`