Info

Last Modified

10 months ago

Percent Complete

100%

Disclosure

May 29, 2003

Discovery

May 19, 2003

Dates

Exploit

May 29, 2003

Solution

Unknown

Description

Geeklog contains a flaw that may allow a malicious user to gain administrative access. The issue is triggered when a connection is made with a cookie of a non-existent user. It is possible that the flaw may allow a full administrative session resulting in a loss of confidentiality, integrity, and availability.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Technical

Due to Geeklog's user session validation checking to see that the inputted password matches the one in the DB without verifying the actual existence of the user id specified, it is possible to obtain valid session credentials by submitting a user id that does not exist. The result set for the password lookup will be NULL, as will be the submitted password, and so the two will match. Geeklog misinterprets this as a successful user lookup, and proceeds to insert session information into the session table for a valid login/connection from a user.

In addition to this session creation, it is possible to create a session with administrative access. A userid that is a floating point number will always result in a NULL result set, and when the session is created for the user, the insertion into the session table automatically translates the floating point into an integer. 2.1 becomes 2, for example, thus allowing the attacker the ability to select an arbitrary desired userid. Proof of concept is provided in the linked advisory from a Security Mail List Post.