[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <006901c38b72$f93aaa90$050010ac@rootserver>
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: I have fixes for the Geeklog vulnerabilities
Hi,
Due to the completely incorrect treatment and work of the Geeklog
development team , that they don't developed fixes for THEIR product which
is used around the world by lots of users , i have fixes aka patches for the
last Geeklog vulnerabilities.
1.Fix against Cross Site Scripting Attacks:
Edit your index.php file of the html root of your geeklog installation:
Go the first line ,
after <?php insert this code:
- xss fix -
// XSS Fix for Geeklog XSS Vulnerabilities
// This will stop sql injection by filtering these characters:
// ; - ' - ` - ? - +
// By Lorenzo Hernandez Garcia-Hierro
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*span*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*h1*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*table*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*pre*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*em*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*input*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*td*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*option*\"?[^>]*>", $secvalue)) ||
(eregi(";", $secvalue)) ||
(eregi("'", $secvalue)) ||
(eregi("?", $secvalue)) ||
(eregi("`", $secvalue)) ||
(eregi("+", $secvalue)) ||
(eregi("\"", $secvalue))) {
die (";-) whereis lammer lammer: you");
}
}
-xss fix end -
2.- Patch against SQL Injection vulnerabilities:
The xss fix is hybrid fix because you block ` ? ' with it.
Go the the dir of the geelog scripts ( not html dir , the classes and config
dir ) and edit the
script system/lib-database.php
go to line 152,the code to edit is this:
-
function DB_query($sql, $ignore_errors=0)
{
global $_DB;
return $_DB->dbQuery($sql,$ignore_errors);
}
-
Let's modify it , replace with:
- sql injections fix -
// Geeklog SQL Injection prevention fix
// by Lorenzo Hernandez Garcia-Hierro
function DB_query($sql, $ignore_errors=1)
{
global $_DB;
return $_DB->dbQuery($sql,$ignore_errors);
}
- end of fix -
Thats all but if you want to have a strong sql injection and error control
go to line 441 , you see:
function DB_error()
{
global $_DB;
return $_DB->dbError();
}
you can edit the function to write the ip of the client that make the error
and block it , more agressive technics are easy to code ;-)
-
thats all folks !
-
NOTES: it is completely inapropiated and non professional to ignore security
issues in a product like the actions of the Geeklog devel team.
Take the example of the phpWebSite devel team , they patched phpWebSite in
one day , adviced the community and make patches availables in one day ,
they are real geeks but they don't say it , regards to the phpWebSite dev
team for their excellent and perfect daily work.
-
TO:
- All the users of geeklog that were vulnerable before this NON-OFFICIAL
patches.
--
Regards,
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
--- Security Consultant ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21 ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________
Powered by blists - more mailing lists