| VID |
21910 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Geeklog program is vulnerable to an authorization bypass vulnerability in the admin/auth.inc.php script. Geeklog is an open-source Web log software written in PHP and MySQL. Geeklog versions 1.4.x before 1.4.0sr3, 1.3.11 before 1.3.11sr6 are vulnerable to an authorization bypass vulnerability, caused by an SQL injection vulnerability in the admin/auth.inc.php script. If the magic_quotes_gpc setting is disabled, a remote attacker could exploit this vulnerability to bypass the authentication procedure and gain unauthorized access to a vulnerable application with administrative privileges.
* References:
http://www.geeklog.net/article.php/geeklog-1.4.0sr3
http://www.securityfocus.com/archive/1/435295/30/0/threaded
http://www.frsirt.com/english/advisories/2006/2050
http://secunia.com/advisories/20316
http://kapda.ir/advisory-336.html
* Platforms Affected:
Geeklog versions 1.3.11 prior to 1.3.11sr6
Geeklog versions 1.4.x prior to 1.4.0sr3
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Geeklog (1.3.11sr6 or 1.4.0sr3 or later), available from the Geeklog Web site at http://www.geeklog.net/filemgmt/viewcat.php?cid=8 |
| Related URL |
CVE-2006-2700 (CVE) |
| Related URL |
18154 (SecurityFocus) |
| Related URL |
(ISS) |
|
