lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 4 Jun 2009 21:29:02 +0200
From: "Dirk Haun" <>
To: <>
Cc: <>, <>
Subject: Re: [InterN0T] Geeklog 1.5 - Pre-Installation Vulnerabilities wrote:

>Geeklog - Pre-Installation Vulnerabilities
>Version Affected: 1.5.2sr4 (18th April 2009) (newest)
>Cross Site Scripting: 

This exact request does not seem to work, but a similar case has already
been reported by someone who called himself Nemesis. I have to admit
that it does still work with the installer for Geeklog 1.6.0 (currently
in beta). We will address that ASAP.

>Path Disclosure:
>Remote File Inclusion:

These two have been fixed in the 1.6.0 installer.

>-:: Solution ::-
>I didn't bother to find one, sorry.

A simple solution is to follow the installation instructions, which
strongly recommend removing the install script after a successful
install. There are also further checks and reminders about this built
into Geeklog.

>Disclosure Information:
>- Vulnerabilities found and confirmed between 1st and 3rd June 2009.
>- Published at InterN0T the 3rd June 2009.
>- Bugtraq contacted the 3rd June 2009.

A "Vender contacted" somewhere in between there would have been nice. We
do take security very seriously and we do give proper credits.

Dirk Haun
(for the Geeklog Team)


Powered by blists - more mailing lists