Advisory 06/2005: Geeklog SQL Injection Vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-



Advisory: Geeklog SQL Injection Vulnerability
Release Date: 2005/07/05
Last Modified: 2005/07/05
Author: Stefan Esser [sesser@hardened-php.net]

Application: Geeklog <= 1.3.11
Severity: An input validation flaw within Geeklog allows
SQL injection and can lead f.e. to user password
hash disclosure
Risk: High
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-062005.php


Overview:

Quote from http://www.geeklog.net
"Geeklog is a weblog powered by PHP and MySQL. It allows you within
minutes to set up a fully functioning dynamic website, and has many
features to get you started. As of Geeklog 1.3, these features are:

* User-system, allowing members of the public to register
for your site and submit stories.
* Comment system, allowing users to comment on posts
made to your site.
* Block system, allowing you to put information anywhere
on your site.
* Plugin system that allows you to extend Geeklog, without
having to code any new PHP.
* Theme system that allows users to select what layout they
want to view.
* Excellent security model that allows you to give users
control over certain aspects of the site with no need
to worry.
* Site Statistics that show you the most popular areas
of your site.
* Link system that allows users to add links to the site.
* Calendar System that lets you and your user add
up-and-coming events.
* Allow users to email stories to their friends."

An audit of the Geeklog sourcebase has revealed a possible SQL
injection, that can f.e. lead to disclosure of a users password
hash if this user has posted atleast one comment to an article
and that article having atleast another comment.

If the site admin account is also used for commenting to articles
this means the admin password hash can be revealed with this hole.
A possible candidate for this is for example some very popular
site that documents everything about the SCO vs. World process.


Details:

The Geeklog 1.3.x codebase is one of the PHP applications, that
are quite secure, although it was designed to only run with
register_globals turned on. They initialise their variables,
filter user input and escape strings before putting them into
SQL queries.

Nevertheless our audit has revealed a possible SQL injection in
the ORDER BY clause of a query that is used to retrieve user
comments for a given article. Usually people believe that such an
injection is harmless, because MySQL does not allow multi queries
and so you can only influence the order of the returned rows.

In this special case however the query performs a JOIN of the
comment and the user table, and therefore it is possible to
order the retrieved user comments in dependance of date in the
user table. Such a conditional ORDER BY statement looks like:

ORDER BY (u.uid=1 && (conv(substring(u.pass, 1, 1),16,10)&1))

This example would order all comments of the user with userid 1
to the end of all retrieved comments, but only if the lowest bit
of the first nibble of the password hash is set.

With similiar strings it is possible to retrieve the complete
MD5 hash of the attacked user account, by sending 128 HTTP
requests and checking in the returned HTML page if the first
(switching search order) comment was written by the user. It
should be obvious, that this issue is only exploitable if there
are atleast 2 comments.

The resulting MD5 hash can then be attacked in the usual way,
to retrieve the users password.


Proof of Concept:

The Hardened-PHP Project is not going to release an exploit
for this vulnerability to the public.


Disclosure Timeline:

30. June 2005 - Contacted geeklog.net via email
01. July 2005 - Sent requested POC to vendor
03. July 2005 - Vendor releases bugfixed version
(and request a disclosure not on 4th July)
05. July 2005 - Public disclosure


Recommendation:

We strongly recommend to upgrade to the vendor supplied
new version

Geeklog 1.3.11sr1
http://www.geeklog.net/filemgmt/visit.php?lid=574


Special Note to Secunia:

You have censored 2 of our 3 Cacti advisories. In both we tried
hard to help you guys out with short summaries, because you often
have enormous problems with understanding advisories.

Unfortunately we forgot to put such a summary into our 3rd Cacti
advisory and so it is maybe our responsibility that you made up
a 2nd bug in the administrative interface of Cacti that allows
execution of arbitrary commands. In the special secunia summary
we could have explained to you, that executing arbitrary commands
as admin is one of the features of Cacti.


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCybGJRDkUzAqGSqERAoG7AKDqY38M67H+BI2QWqPUMj8EIbmw4gCgu/2g
3fgr9dlH/jnEKWoZRxXU7m8=
=OaI9
-----END PGP SIGNATURE-----


© Hardened PHP Project