[UNIX] Cookie Modification Allows Unauthenticated User Login in Geeklog
From: support@securiteam.comDate: 01/17/02
- Previous message: support@securiteam.com: "[UNIX] Cdrdao Insecure File Handling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 17 Jan 2002 09:35:12 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cookie Modification Allows Unauthenticated User Login in Geeklog
------------------------------------------------------------------------
SUMMARY
<http://www.geeklog.org> Geeklog is a 'blog', otherwise known as a
Weblog. It allows you to create your own virtual community area, complete
with user administration, story posting, messaging, comments, polls,
calendar, web links, and more. It can run on many different operating
systems, and uses PHP4 and MySQL. A security vulnerability in the product
allows attackers to gain privileged access by simply modifying their web
site provided cookie.
DETAILS
Vulnerable systems:
Geeklog version 1.3
When permanent cookies are enabled, as they are in a stock install,
Geeklog stores a user's UID in a cookie upon successful login.
This cookie is subsequently used during future visits to the site to
automatically initiate an authenticated session as the UID in the cookie.
Modification of the UID in the cookie allows any user to assume the
identity of any other registered user, including the administrative user.
Solution:
A bug report was submitted to the author on January 9th, and fixes were
made available shortly after, with instructions on where to obtain them
posted at the Geeklog website ( <http://www.geeklog.org>
http://www.geeklog.org).
ADDITIONAL INFORMATION
The information has been provided by <mailto:adrian@enfusion-group.com>
Adrian Chung.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Cdrdao Insecure File Handling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [REVS] Cross Site Cooking
... Get your security news from a reliable source. ... On sites where authentication
data is tied on a server to a session ID, ... Let's begin with a quick primer on cookie
parsing: ... For security purposes, the browser ... (Securiteam) - [UNIX] PHPNuke Admin Password Can Be Stolen
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerabilities in PHPNuke
expose the administrative password. ... To successfully exploit this vulnerability
you will need to rely on two ... The administrator login/password pair is stored in a cookie
like this: ... (Securiteam) - Re: A technique to mitigate cookie-stealing XSS attacks
... I'd like to thank the "Microsoft Internet Explorer Team" for ... I'd like to
point out that this security feature does not help ... This new HTTPOnly security feature
would simply stop cookie hijacking ... > During the Windows Security Push in Feb/Mar
2002, the Microsoft Internet ... (Bugtraq) - Re: Forms Authentication w/SubFolders
... Please note that this means that applications will now share security. ... >>
the fact that this cookie exists, and returns to the login.aspx page. ... > manually
setting the encryption key in the webconfig. ... (microsoft.public.dotnet.framework.aspnet.security) - [UNIX] YaBB Security Vulnerabilities (CSS in Login, Insecure Password Handling)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... attacker to steal user's
cookies, hijacking user's accounts, and more. ... stealing the username cookie is easy.
... (Securiteam)
