Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Thursday, April 24 2014 @ 06:39 AM EDT

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Thursday, October 09 2003 @ 07:14 AM EDT
basicly your screwed untill someone patches the forum component soone can get full admin privileges on your blog

if your also using mysql 4.1 you also have to wait until they patch the sql injection issues reported earlier
  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Thursday, October 09 2003 @ 10:53 AM EDT
This is uhhh kinda wrong. The forum has issues. These issues could currently be used to let a javascript take the cookie. The password is still encypted so they would have to bust that. And they could only take the encypted password of the admin if you tried to view that post with the javascript post.

A current fix for this is to disable the img tag especially in your forum and maybe just all your html tags to be especially safe. I'm not sure if this is easy to do in the forum as I don't use it but that should work.

Most of these issues that are being posted currently are blown way out of porportion and you don't really need to worry about. The geeklog development team is very very into security and if a real security issue is found be sure that it would be patched within a day or two.

I suspect all the issues, will be fixed in the next release, or in a service release if these are found to be valid issues. The forum will most likely be patched shortly.

I didn't proofread this message... sorry.
  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Thursday, October 09 2003 @ 11:07 AM EDT
you are out of your mind. you dont have to crack the hash, you can just place it in your cookie

because geeklog keeps you logged in for a fixed period of time, one hour , one week, one year etc

how do you think this works, it works because it stores your hashed password and user id in a cookie .

as for the geeklog authors well they're clueless
  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Thursday, October 09 2003 @ 03:28 PM EDT
You have a point. Whatever the case the issue with the FORUM plugin needs to be addressed, which I'm sure its being worked on. I do not believe this is an issue with any of the core features of geeklog.

Like I said before disable all your html and you won't have to worry about it.
  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Thursday, October 09 2003 @ 07:13 PM EDT
you seem to not have noticed that the post also included a python script that uses sql injection rather than XSS to crack the password. eg. there is no defending against it
  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Friday, October 10 2003 @ 09:40 AM EDT
So far like the other stuff the python script has not been able to be a success. I have personally tried running it and it gives an error when trying to run. I can't really tell what its trying to do except maybe exploit something else in the forum plugin. . . theres something to do with the forum plugin there.

So what have we still learned? The core geeklog has yet to have any security flaws actually seen. Plugin that a 3rd party made has some issues that need to be cleared up.
  • Current Security Issues (Sept 2003)
  • Authored by:Anonymous on Friday, October 10 2003 @ 02:46 PM EDT
>So far like the other stuff the python script has not been >able to be a success. I have personally tried running it and >it gives an error when trying to run.

It requires python 2.2 or higher

>I can't really tell what its trying to do except maybe exploit >something else in the forum plugin. . .
>theres something to do with the forum plugin there.

"/forum/memberlist.php?order=mid(passwd," + str(i + 1) + ",1),uid&prevorder=uid&direction=ASC&page=" + str(page))

you can order the memberlist by password or more specificly one character of the password. and thus determine its contents

>So what have we still learned? The core geeklog has yet to >have any security flaws actually seen.

We'll just see about that

>Plugin that a 3rd party made has some issues that need to be cleared up.

yes and this site is running it, it could easily be defaced
  • Current Security Issues (Sept 2003)
  • Authored by:tomw on Friday, October 10 2003 @ 03:06 PM EDT
I think you had better look at your code again. The forum memberlist.php does not allow you to sort the user list. Quit spreading this fud until you know what you are talking about. Here is the code that retrieves the member list.

$memberlistsql = DB_query("SELECT * FROM {$_TABLES['users']} WHERE uid <> 1 ORDER BY regdate");

The order by is not changeable!

I also ran your python script and could not get it to run -- by the way my python version is 2.3.

TomW
Not Anonymous
  • Current Security Issues (Sept 2003)
  • Authored by:DTrumbower on Friday, October 10 2003 @ 03:15 PM EDT
Sorry Tom, you can order it.
http://www.geeklog.net/forum/memberlist.php?order=username&prevorder=uid&direction=DESC&page=1

The headings are links.

I can get the script to run a while but then it pukes.
  • Current Security Issues (Sept 2003)
  • Authored by:wlparks on Friday, October 10 2003 @ 03:24 PM EDT
tomw, sorry but there are huge security issues with the forum plugin(I was the one defending geeklog earlier in this thread). I suggest anybody using it take it down until it is fixed.

I was the one replying to the other things but anyway I looked at the python script. I got it to ran. It puked 5 minutes in but his theory is right.

I guess it won't hurt for me to explain it here since anybody can look at his script.

You CAN order by anything on the memberlist page... I can't say that I have looked at the code for the forum plugin at all. Hell I haven't even installed it on my own personal site. But if they're using the latest version of the forum on geeklog.net you can sort by whatever you want. Order it anyway you want and more.

EXAMPLE.
http://www.geeklog.net/forum/memberlist.php?order=uid&direction=ASC

His python script didn't work for me but I could write something in another language that did the exact same thing. His theory is correct.

Heres how it works.

memberlist.php?order=mid(passwd," + str(i + 1) ",1),uid&prevorder=uid&direction=ASC&page=" + str(page)).read()

What he is doing is pulling back a character at a time and ordering the page based on the one character that is returned from the password field. From this he can compare it to where your own placement is on the return and tell if its higher or lower or equal. If you did look at the python script it is constantly changing your own password so it can compare it better.

I believe this is how it was working if not, that way should work :-p
  • Current Security Issues (Sept 2003)
  • Authored by:wlparks on Friday, October 10 2003 @ 03:29 PM EDT
woopsy sorry didn't see the dudes post that already explained how it worked.
  • Current Security Issues (Sept 2003)
  • Authored by:tomw on Friday, October 10 2003 @ 03:30 PM EDT
I admit I wasn't looking at the new version since it hasn't been released officially yet. The version for download here and most widely used does not have a sortable memberlist.

TomW
  • Current Security Issues (Sept 2003)
  • Authored by:Blaine on Friday, October 10 2003 @ 08:05 PM EDT
It appears this python attack was run against the new (un-released) membership.php that I was testing on this site and have distributed to a few users for testing.

I had enhanced (albeit now see the issue) to sort the display to improve it's usefullness. I've tried to inject SQL to add the order by clause in the current 2.2 release and was not able.
I'm able to force the ORDER BY SQL clause to be added to the sql statement but it is rejected as improper SQL syntax.

This was tested on MYSQL 3.23. I've not heard that anyone has done this on the released forum 2.2 release code.

I will be adding logic to filter out any SQL from being added on the URL path.

To filter out any Javascript and IMG tags with JS - just enable the GL Filter and ensure the IMG tag (and other potential XSS supported tags) are not allowable HTML.

Blaine