Fix your Shoutbox!

Authored by: Anonymous on Sunday, September 28 2003 @ 08:47 AM EDT

From: Lorenzo Hernandez Garcia-Hierro <security@novappc.com>
To: Bugtraq <bugtraq@securityfocus.com>
Cc: full-disclosure@lists.netsys.com, SecurityTracker <bugs@securitytracker.com>
Subject: [Full-Disclosure] Geeklog Multiple Versions Vulnerabilities
Date: Sat, 27 Sep 2003 23:51:15 +0200
Geeklog Multiple Versions Vulnerabilities
------
PRODUCT: Geeklog
VENDOR: Geeklog
VULNERABLE VERSIONS:

- 2.x ( TESTED ) (T.I.N.P)
- 1.x ( TESTED ) (T.I.N.P)
- And older versions possible affected too.

NO VULNERABLE VERSIONS

- ?

---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:



---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

I found XSS and SQL Injection vulnerabilities in the Geeklog
Content Management System.
The XSS can be used for stole authentication data and cookies, and , in some
conditions you can deface the website homepage.
The SQL Injections can be used for hack the backend database and
modify/read/delete/stole data in the backend database.
I found some security holes ( miscelaneous ).
---------
| XSS |
---------
I found XSS holes:
You can send code to the Shoutbox system for be displayed... IN THE HOME
PAGE !!!
This is the most important bug that i discovered in geeklog because any user
( not authenticated )
can send messages to shoutbox and these messages will be displayed in the
home page of the cms in a block.
-
Proof of Concept:
-
insert your code into the text box under the shoutbox block and press Shout
it ! thats all.

Another XSS:

http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE]

http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE]

Its very possible that other files using lid variable are vulnerable to this
and SQL Injection attacks.

------------------
| SQL INJECTIONS |
------------------

I found some SQL injections :

http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE]

http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION
CODE]

http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE]

http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION
CODE]

http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL
INJECTION CODE]

http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE]

With this you can perform malformed sql queries for access privileged
information such as passwords ( md5 hashes ),
email addresses...


---------------
| MISCELANEoUS|
---------------
_____________
IP Detection ->
_____________

Geeklog only detects ips in front of a proxy , if you are
behind a proxy , geeklog's logs , scripts will be logging the proxy ip.
This can be patched by using HTTP_X_FORWARDED_FOR detection like:

<?php

/* ------------------------
/ Geeklog possible Hard IP
/ Detection System.
/ Use seeyou() instead of
/ declaring other ip variables.
/ ------------------------
/ by Lorenzo Hernandez G-H
/ ------------------------
*/ ________________________

function seeyou()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

/*-------seeyou()-------*/
/* <<EOF */
// ;-)
// dedicado a Pocholo
// Poxolo for president !
// FIEEEESSSSSSSSTAAAAAAAA

?>

and calling it from the main ip variable like:

$ip = seeyou();

________________________
Automatic IP Blocking ->
________________________

I'm suggesting this to the Geeklog development team .
Instead of logging facilities use a proactive system for deny ips of
attackers in real time.
I explain it:

An attacker checks those SQL Injection vulnerabilities.
Uses on or more possible bugs and the system adds this attempts to the
database:

-KIDDIE->
- IP -> uses seeyou() routine for detection
- ATTEMPTS -> COUNT-
|_> IF THIS IS x ( F.EX. 3) go to the block
routine ------
-------------------------------------------------------------------------
----|
|> Blocking routine:
- a file ( F.EX. blockthatsh*t.php )
|________________________________|
|
|
|> This adds an entry to another php
file that is
included in the common lib that is
loaded with
all the scripts with:
include
("blocked-sh*ts");

|________________________|
|
blocked-sh*ts.php source : <|


<?
/* No Secure Root Group Security Research
/ By Lorenzo Hernandez Garcia-Hierro
/ This is part of the Security Application Server ( unreleased ) by
/ Lorenzo Hernandez Garcia-Hierro
/ ---- Licensed under GPL ----
*/

$denyip = array("202.108.250.",
"200.147.47.97",
"148.221.148.38",
"80.117.13.97",
"212.142.214.63",
"213.97.249.145"
);

/* IP Detection
// ----------------------
// EXPERIMENTAL IN THIS SCRIPT
// THIS WILL BLOCK IPs USING
// THE "HARD DETECTION ROUTINE
// AND MATCHING THE denyip ARRAY
// -----------------------

function seeyou()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

// -------------------------
// -------END seeyou()-------*/

// For use only with seeyou() routine

// $ip = echoIP();

// Under this you don't need to change nothing.
// ----------------------------------------------

$ip = $_SERVER['REMOTE_ADDR']; // if you want seeyou() routine comment this
and uncomment the another one

$blockmsg = array('<h1>Access Blocked</h1><br><br>Your Internet Address was
blocked in our servers due to incorrect use or improper actions in the
servers , if you attempt to access again thi servers , your ISP will be
adviced about you.BlockedIPs are: <br><br>'."$denyip".'<br><br>Take care for
be out of this list.Shits smell bad.');

// Nothing to change below this line ------------------

$x = count($denyip);

for ($y = 0; $y < $x; $y++) {
if ($ip == $denyip[$y]) {
exit($blockmsg[$y]);
}
}

?>

And thats all , you need to perform a script for write in the correct form
the ips for block .

I called this sytem Blahsh*t Guard.

This is part of my ( unreleased ) whitepaper "uwahck" :

"Using Vulnerable Web Applications for HaCK into Servers " .

<<EOF

---------------
| CONCLUSIONS |
---------------

Geeklog doesn't have an input validation system and you can send
malicious data to the target geeklog installation.
This can be used by attackers for do extremely bad actions in the target
actions.
Geeklog core and modules are completly vulnerable to XSS attacks and SQL
Injection.
Definately Geeklog is not a Geek product ;-) .

for the development team and people going to use the Blahsh*t Guard:

The code is fully experimental and this one of the reasons of SAServer
unreleased.

Send Suggestions to me or join the project trough http://sas.novappc.com .

Greetings to:

0x00-Pocholo , hey , be president , cag_at_(dieresis)_at>en la *st*a ! .
0x02-rkc - no se ni pa que - ahi va ;-).
0x03-CqC Que le den a telecinco , Berlusconi y demás individuos de sci-fi.
0x04-A la chofa , por su musica "angelica" , pobrecilla , con ese bichejo en
medio...
0x05-a mrs nadie por su excelente trabajo.

NOTE: This is the first time that i write greetings but i want to do it more
, it is excelent for
the spanish poxo-family.

-----------
| CONTACT |
-----------
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
--- Security Consultant ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://security.novappc.com
______________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[ Reply to This | # ]

Authored by: ScurvyDawg on Sunday, September 28 2003 @ 08:05 PM EDT

Have you sent this to the developers before displaying it here for all to see. I would rather this go the project developers first.

I understand full disclosure but putting it here FIRST is really just kinda dumb.

Good to see people are still hammering on the package to ensure its security. I think most if not all of these items mentioned are plug ins and not part of the core package.

my two cents

[ Reply to This | # ]

Authored by: Anonymous on Sunday, September 28 2003 @ 10:33 PM EDT

Yup, yup, yup. They want to be considered security experts because they find a problem yet cannot figure out if something is an add-on plugin or part of the core of a program. This is what is called incompetence. Handing something right to script kiddies by posting to Bugtraq instead of first going to the developers so they have a chance to fix the problem shows this guy is not a true security professional. He's as lowlife as the script kiddies who take his info and do the actual attacking.

[ Reply to This | # ]

Authored by: squatty on Monday, September 29 2003 @ 12:02 AM EDT

Well, I wouldn't got that far. I would however seriously question his delivery. Any security professional should be well versed in the CIA triad (confidentiality, integrity, and availability). Publicly posting vulnerabilities without notifying the proper authorities is by no means equivalent to full discloser. It's not like it's hard to find out who to contact. Dirk's name is all over and the mailing list link is highly visible.

Sincerely,
Squatty, CISSP

---
In a world without walls and fences, who needs Windows and Gates?

[ Reply to This | # ]

Authored by: Dirk on Monday, September 29 2003 @ 03:27 AM EDT

Unfortunately, this gentleman did not contact us prior to publishing his findings, which is certainly not the way to handle these things ...

The Shoutbox issue should be addressed by the fixes detailed in the story above. The rest is still very much under investigation. It seems, however, that you can at least use this to expose sensitive information under certain circumstances.

bye, Dirk

[ Reply to This | # ]

Authored by: destr0yr on Sunday, September 28 2003 @ 08:18 PM EDT

Chatterblock made by Blaine a decent replacement ?! I use it on my site and love it.

---
-- destr0yr - "People like you are the reason people like me need medication."

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, October 01 2003 @ 10:52 PM EDT

hahahah.
Look at this.
the same guy that posted the supusedly found "bug", before letting know the developers of geeklog know first, USES GEEKLOG in his website.

http://security.novappc.com/

hahaha..

well. it doesn't even say it's also running "not such a Geek product" ;-)

[ Reply to This | # ]