lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006901c38b72$f93aaa90$050010ac@rootserver>
Date: Sun, 5 Oct 2003 21:00:30 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Cc: "SecurityTracker" <bugs@...uritytracker.com>
Subject: I have fixes for the Geeklog vulnerabilities


Hi,
Due to the completely incorrect treatment and work of the Geeklog
development team , that they don't developed fixes for THEIR product which
is used around the world by lots of users , i have fixes aka patches for the
last Geeklog vulnerabilities.

1.Fix against Cross Site Scripting Attacks:

Edit your index.php file of the html root of your geeklog installation:
Go the first line ,
after <?php insert this code:
- xss fix -
// XSS Fix for Geeklog XSS Vulnerabilities
// This will stop sql injection by filtering these characters:
// ; - ' - ` - ´ - +
// By Lorenzo Hernandez Garcia-Hierro
foreach ($HTTP_GET_VARS as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*span*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*h1*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*table*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*pre*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*em*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*input*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*td*\"?[^>]*>", $secvalue)) ||
 (eregi("<[^>]*option*\"?[^>]*>", $secvalue)) ||
 (eregi(";", $secvalue)) ||
 (eregi("'", $secvalue)) ||
 (eregi("´", $secvalue)) ||
 (eregi("`", $secvalue)) ||
(eregi("+", $secvalue)) ||
 (eregi("\"", $secvalue))) {
 die (";-) whereis lammer lammer: you");
    }
}
-xss fix end -

2.- Patch against SQL Injection vulnerabilities:

The xss fix is hybrid fix because you block ` ´ ' with it.
Go the the dir of the geelog scripts ( not html dir , the classes and config
dir ) and edit the
script system/lib-database.php
go to line 152,the code to edit is this:
-
function DB_query($sql, $ignore_errors=0)
{
    global $_DB;

    return $_DB->dbQuery($sql,$ignore_errors);
}
-
Let's modify it , replace with:

- sql injections fix  -

// Geeklog SQL Injection prevention fix
// by Lorenzo Hernandez Garcia-Hierro
function DB_query($sql, $ignore_errors=1)
{
    global $_DB;

    return $_DB->dbQuery($sql,$ignore_errors);
}

- end of fix -

Thats all but if you want to have a strong sql injection and error control
go to line  441 , you see:

function DB_error()
{
    global $_DB;

    return $_DB->dbError();
}

you can edit the function to write the ip of the client that make the error
and block it , more agressive technics are easy to code ;-)
-
thats all folks !
-
NOTES: it is completely inapropiated and non professional to ignore security
issues in a product like the actions of the Geeklog devel team.
Take the example of the phpWebSite devel team , they patched phpWebSite in
one day , adviced the community and make patches availables in one day ,
they are real geeks but they don't say it , regards to the phpWebSite dev
team for their excellent and perfect daily work.
-
TO:
- All the users of geeklog that were vulnerable before this NON-OFFICIAL
patches.

--
Regards,
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
---       Security Consultant           ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21  ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ