Welcome to Geeklog, Anonymous Friday, July 12 2024 @ 05:12 pm EDT

Geeklog Forums

Geeklog / Gallery vulnerability


Jason

Anonymous
worried
As detailed in this article,
http://www.securityfocus.com/guest/24043

Geeklog and/or Gallery can be used to compomise a host. I personally used my own server to test the problem. I was able to write arbitrary data to /tmp, cat the /etc/passwd file, and do anything the "nobody" or "www" user could do on a host.

Maybe this has been addressed in a recent release of Geeklog or Gallery integration, but I'm running geeklog-1.3.8-1sr2 and Gallery integration gallery_1.3.4-pl1_1.3.8.tar.gz. I think those are recent.

It's possible this is just a problem in the Gallery integration (that's where I tested it) but I would imagine any improperly set variable like this (variables used in an include) could cause the same problem.

Thought I should bring it up, in case it hasn't been pointed out or discussed.
 Quote

All times are EDT. The time is now 05:12 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content