Geeklog 1.7.1 <= Cross Site Scripting Vulnerability

2011-01-03T00:00:00

Description

========================================== Geeklog 1.7.1 <= Cross Site Scripting Vulnerability ========================================== 1. OVERVIEW The Geeklog was vulnerable to Cross Site Scripting in its administration backend. 2. BACKGROUND Geeklog is a PHP/MySQL based application for managing dynamic web content. "Out of the box", it is a blog engine, or a CMS with support for comments, trackbacks, multiple syndication formats, spam protection, and all the other vital features of such a system. 3. VULNERABILITY DESCRIPTION User supplied input is not probably sanitized in the "subgroup" and "conf_group" parameters when the configuration settings are saved in /admin/configuration.php. Attackers who manage to get/bypass anti-csrf token (_glsectoken) via other means can effectively perform XSS against admin users. 4. VERSIONS AFFECTED 1.7.1 and lower 5. PROOF-OF-CONCEPT/EXPLOIT [Request] POST /geeklog/admin/configuration.php HTTP/1.1 _glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><script>alert(/XSS/)</script> [/Request] 6. SOLUTION Upgrade to 1.7.1sr1 7. VENDOR Geeklog Development Team http://www.geeklog.net/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-31: notified vendor 2011-01-02: vendor released fixed version 2011-01-04: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting Vendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1 About Geeklog: http://www.geeklog.net/docs/english/#introduction http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/ http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html #yehg [2011-01-04] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd

{"id": "SECURITYVULNS:DOC:25435", "bulletinFamily": "software", "title": "Geeklog 1.7.1 <= Cross Site Scripting Vulnerability", "description": "==========================================\r\n Geeklog 1.7.1 <= Cross Site Scripting Vulnerability\r\n==========================================\r\n\r\n\r\n1. OVERVIEW\r\n\r\nThe Geeklog was vulnerable to Cross Site Scripting in its administration\r\nbackend.\r\n\r\n\r\n2. BACKGROUND\r\n\r\nGeeklog is a PHP/MySQL based application for managing dynamic web content.\r\n"Out of the box", it is a blog engine, or a CMS with support for comments,\r\ntrackbacks,\r\nmultiple syndication formats, spam protection, and all the other vital\r\nfeatures of such a system.\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nUser supplied input is not probably sanitized in the "subgroup" and\r\n"conf_group"\r\nparameters when the configuration settings are saved in\r\n/admin/configuration.php.\r\nAttackers who manage to get/bypass anti-csrf token (_glsectoken) via other\r\nmeans can effectively perform XSS against admin users.\r\n\r\n\r\n4. VERSIONS AFFECTED\r\n\r\n1.7.1 and lower\r\n\r\n\r\n5. PROOF-OF-CONCEPT/EXPLOIT\r\n\r\n[Request]\r\n\r\nPOST /geeklog/admin/configuration.php HTTP/1.1\r\n\r\n_glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><script>alert(/XSS/)</script>\r\n\r\n[/Request]\r\n\r\n\r\n6. SOLUTION\r\n\r\nUpgrade to 1.7.1sr1\r\n\r\n\r\n7. VENDOR\r\n\r\nGeeklog Development Team\r\nhttp://www.geeklog.net/\r\n\r\n\r\n8. CREDIT\r\n\r\nThis vulnerability was discovered by Aung Khant, http://yehg.net, YGN\r\nEthical Hacker Group, Myanmar.\r\n\r\n\r\n9. DISCLOSURE TIME-LINE\r\n\r\n2010-12-31: notified vendor\r\n2011-01-02: vendor released fixed version\r\n2011-01-04: vulnerability disclosed\r\n\r\n\r\n10. REFERENCES\r\n\r\nOriginal Advisory URL:\r\nhttp://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting\r\nVendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1\r\nAbout Geeklog: http://www.geeklog.net/docs/english/#introduction\r\nhttp://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/\r\nhttp://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html\r\n\r\n#yehg [2011-01-04]\r\n\r\n---------------------------------\r\nBest regards,\r\nYGN Ethical Hacker Group\r\nYangon, Myanmar\r\nhttp://yehg.net\r\nOur Lab | http://yehg.net/lab\r\nOur Directory | http://yehg.net/hwd", "published": "2011-01-03T00:00:00", "modified": "2011-01-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25435", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11328"]}]}, "exploitation": null, "vulnersScore": 0.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

Geeklog 1.7.1 &lt;= Cross Site Scripting Vulnerability

Description

Geeklog 1.7.1 <= Cross Site Scripting Vulnerability