Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [InterN0T] Geeklog 1.5 - Pre-Installation Vulnerabilities
From: "Dirk Haun" <dirk () haun-online de>
Date: Thu, 4 Jun 2009 21:29:02 +0200

security () intern0t net wrote:

Geeklog - Pre-Installation Vulnerabilities

Version Affected: 1.5.2sr4 (18th April 2009) (newest)
Cross Site Scripting:

This exact request does not seem to work, but a similar case has already
been reported by someone who called himself Nemesis. I have to admit
that it does still work with the installer for Geeklog 1.6.0 (currently
in beta). We will address that ASAP.

Path Disclosure:

Remote File Inclusion:

These two have been fixed in the 1.6.0 installer.

-:: Solution ::-
I didn't bother to find one, sorry.

A simple solution is to follow the installation instructions, which
strongly recommend removing the install script after a successful
install. There are also further checks and reminders about this built
into Geeklog.

Disclosure Information:
- Vulnerabilities found and confirmed between 1st and 3rd June 2009.
- Published at InterN0T the 3rd June 2009.
- Bugtraq contacted the 3rd June 2009.

A "Vender contacted" somewhere in between there would have been nice. We
do take security very seriously and we do give proper credits.

Dirk Haun
(for the Geeklog Team)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]