==========================================
Geeklog 1.7.1 <= Cross Site Scripting Vulnerability
==========================================
1. OVERVIEW
The Geeklog was vulnerable to Cross Site Scripting in its administration
backend.
2. BACKGROUND
Geeklog is a PHP/MySQL based application for managing dynamic web content.
"Out of the box", it is a blog engine, or a CMS with support for comments,
trackbacks,
multiple syndication formats, spam protection, and all the other vital
features of such a system.
3. VULNERABILITY DESCRIPTION
User supplied input is not probably sanitized in the "subgroup" and
"conf_group"
parameters when the configuration settings are saved in
/admin/configuration.php.
Attackers who manage to get/bypass anti-csrf token (_glsectoken) via other
means can effectively perform XSS against admin users.
4. VERSIONS AFFECTED
1.7.1 and lower
5. PROOF-OF-CONCEPT/EXPLOIT
[Request]
POST /geeklog/admin/configuration.php HTTP/1.1
_glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><script>alert(/XSS/)</script>
[/Request]
6. SOLUTION
Upgrade to 1.7.1sr1
7. VENDOR
Geeklog Development Team
http://www.geeklog.net/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-31: notified vendor
2011-01-02: vendor released fixed version
2011-01-04: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting
Vendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1
About Geeklog: http://www.geeklog.net/docs/english/#introduction
http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/
http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html
#yehg [2011-01-04]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
{"id": "SECURITYVULNS:DOC:25435", "bulletinFamily": "software", "title": "Geeklog 1.7.1 <= Cross Site Scripting Vulnerability", "description": "==========================================\r\n Geeklog 1.7.1 <= Cross Site Scripting Vulnerability\r\n==========================================\r\n\r\n\r\n1. OVERVIEW\r\n\r\nThe Geeklog was vulnerable to Cross Site Scripting in its administration\r\nbackend.\r\n\r\n\r\n2. BACKGROUND\r\n\r\nGeeklog is a PHP/MySQL based application for managing dynamic web content.\r\n"Out of the box", it is a blog engine, or a CMS with support for comments,\r\ntrackbacks,\r\nmultiple syndication formats, spam protection, and all the other vital\r\nfeatures of such a system.\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nUser supplied input is not probably sanitized in the "subgroup" and\r\n"conf_group"\r\nparameters when the configuration settings are saved in\r\n/admin/configuration.php.\r\nAttackers who manage to get/bypass anti-csrf token (_glsectoken) via other\r\nmeans can effectively perform XSS against admin users.\r\n\r\n\r\n4. VERSIONS AFFECTED\r\n\r\n1.7.1 and lower\r\n\r\n\r\n5. PROOF-OF-CONCEPT/EXPLOIT\r\n\r\n[Request]\r\n\r\nPOST /geeklog/admin/configuration.php HTTP/1.1\r\n\r\n_glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><script>alert(/XSS/)</script>\r\n\r\n[/Request]\r\n\r\n\r\n6. SOLUTION\r\n\r\nUpgrade to 1.7.1sr1\r\n\r\n\r\n7. VENDOR\r\n\r\nGeeklog Development Team\r\nhttp://www.geeklog.net/\r\n\r\n\r\n8. CREDIT\r\n\r\nThis vulnerability was discovered by Aung Khant, http://yehg.net, YGN\r\nEthical Hacker Group, Myanmar.\r\n\r\n\r\n9. DISCLOSURE TIME-LINE\r\n\r\n2010-12-31: notified vendor\r\n2011-01-02: vendor released fixed version\r\n2011-01-04: vulnerability disclosed\r\n\r\n\r\n10. REFERENCES\r\n\r\nOriginal Advisory URL:\r\nhttp://yehg.net/lab/pr0js/advisories/[geeklog1.7.1]_cross_site_scripting\r\nVendor Advisory: http://www.geeklog.net/article.php/geeklog-1.7.1sr1\r\nAbout Geeklog: http://www.geeklog.net/docs/english/#introduction\r\nhttp://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/\r\nhttp://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html\r\n\r\n#yehg [2011-01-04]\r\n\r\n---------------------------------\r\nBest regards,\r\nYGN Ethical Hacker Group\r\nYangon, Myanmar\r\nhttp://yehg.net\r\nOur Lab | http://yehg.net/lab\r\nOur Directory | http://yehg.net/hwd", "published": "2011-01-03T00:00:00", "modified": "2011-01-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25435", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11328"]}]}, "exploitation": null, "vulnersScore": -0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659730939}}