Geeklog contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to lib-common.php not properly sanitizing user input supplied to the 'language' variable. This may allow an attacker to read arbitrary local files or include local files which contain arbitrary commands which will be executed by the vulnerable script.
Classification
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Rumored / Private
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Solution
Upgrade Geeklog to version 1.4.0sr1 or 1.3.11sr4 or higher, as it has been reported to fix this vulnerability. Media Gallery users can upgrade to 1.2.4. An upgrade is required as there are no known workarounds.
gulftech.org - GulfTech Security Research