Info

Disclosure

Jan 10, 2002

Discovery

Jan 09, 2002

Dates

Exploit

Unknown

Solution

Unknown

Description

Geeklog contains a flaw that may allow a remote attacker to arbitrary access user accounts. The issue is triggered when issuing permanent cookies. It is possible that the flaw may allow a remote attacker with a valid account to modify the UID of the own authentication cookie to that of a target account resulting in a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Hijacking
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 1.3.1 or higher, as it has been reported to fix this vulnerability. In addition, Tony Bibbs has released a patch for some older versions.

Products

Geeklog

1.3

References

CVE ID: 2002-0097 (see also: NVD)
Bugtraq ID: 3844
ISS X-Force ID: 7869
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-01/0125.html
Vendor Specific Solution URL: http://www.geeklog.net/article.php/20020109093834684

Credit

Adrian Chung - adrianenfusion-group.com -

Direct URL: http://osvdb.org/36218