3205 : Geeklog Weak Session Control
Printer | http://osvdb.org/3205 | Email This | Edit Vulnerability

Views This Week

4

Views All Time

21

Info

Last Modified

8 months ago

Percent Complete

65%

Disclosure

Oct 08, 2003

Discovery

Unknown

Dates

Exploit

Oct 08, 2003

Solution

Unknown

Description

Geeklog contains a flaw in the way it controls passwords and session control. If a remote user can obtain the password hashes (trivial through XSS attacks), they can store the information on their computer as their own cookie and automatically log in as arbitrary users. When changing "their" password, Geeklog does not ask for the old password as verification, allowing the remote attacker to effectively hijack any account.

Classification

Unknown or Incomplete

Technical

Note: This vulnerability can only be exploited in conjunction with another such as a cross-site scripting (XSS) attack. As of version 1.3.8-1sr4, there are no known/published XSS vulnerabilities in this version of Geeklog.

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Geeklog

Geeklog

1.x

References

Related OSVDB ID: 2253
Secunia Advisory ID: 9966

Credit

Unknown or Incomplete

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

User Status

Account
- Login
- Sign-Up

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use