Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 11:36 am EST
Geeklog Forums
Partial security breach in Geeklog!
Status: offline
LWC
Forum User
Full Member
Registered: 02/19/04
Posts: 818
One of my sites has me approving new users. I also used a Hebrew name for the word "Username". One such user got tricked by it and that was when all hell broke loose.
In short:
1) He used (UTF-8 encoded) Hebrew letters for the username.
2) Geeklog displayed a nasty MySQL error when he did so.
3) Geeklog made him bypass my approval.
4) Geeklog partially registered him (he only showed up in gl_users).
5) Geeklog at least gave him no rights at all (not even "All Users").
6) Geeklog displayed a nasty MySQL error when he tried to use the
"Forgot Your Password?" link.
* At this point, I've changed his username to English and he could use the "Forgot Your Password?" link.
That sums it up.
From now on I shall only use English words for things that must be in English (username, password & email) as I've discussed here.
But Geeklog, especially Geeklog - being so secured and all, shouldn't trust on the users' good will. It should forbid using foreign characters for the 3 aforementioned fields, especially username.
Now I'll post the details in a clean post.
But first,
[QUOTE Here are some quotes from Geeklog's error.log]
Thu Sep 22 12:27:03 2005 - 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1. SQL in question: INSERT INTO gl_group_assignments (ug_main_grp_id,ug_uid) VALUES (13, )
Thu Sep 22 12:58:43 2005 - error in get_userdata
Thu Sep 22 12:58:43 2005 - 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: DELETE FROM gl_sessions WHERE uid =
Thu Sep 22 13:00:09 2005 - error in get_userdata
Thu Sep 22 13:00:09 2005 - 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: DELETE FROM gl_sessions WHERE uid =
[/QUOTE]
In short:
1) He used (UTF-8 encoded) Hebrew letters for the username.
2) Geeklog displayed a nasty MySQL error when he did so.
3) Geeklog made him bypass my approval.
4) Geeklog partially registered him (he only showed up in gl_users).
5) Geeklog at least gave him no rights at all (not even "All Users").
6) Geeklog displayed a nasty MySQL error when he tried to use the
"Forgot Your Password?" link.
* At this point, I've changed his username to English and he could use the "Forgot Your Password?" link.
That sums it up.
From now on I shall only use English words for things that must be in English (username, password & email) as I've discussed here.
But Geeklog, especially Geeklog - being so secured and all, shouldn't trust on the users' good will. It should forbid using foreign characters for the 3 aforementioned fields, especially username.
Now I'll post the details in a clean post.
But first,
[QUOTE Here are some quotes from Geeklog's error.log]
Thu Sep 22 12:27:03 2005 - 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1. SQL in question: INSERT INTO gl_group_assignments (ug_main_grp_id,ug_uid) VALUES (13, )
Thu Sep 22 12:58:43 2005 - error in get_userdata
Thu Sep 22 12:58:43 2005 - 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: DELETE FROM gl_sessions WHERE uid =
Thu Sep 22 13:00:09 2005 - error in get_userdata
Thu Sep 22 13:00:09 2005 - 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: DELETE FROM gl_sessions WHERE uid =
[/QUOTE]
18
11
Quote
Status: offline
LWC
Forum User
Full Member
Registered: 02/19/04
Posts: 818
In details:
He (as he later told me) used Hebrew letters and in result got a strange MySQL error. Same for when he tried to click the "Forgot Your Password?" link.
At this point I'd like to remind you that I have never even approved him so Geeklog shouldn't have even let him use that link!
I immediately went to PHPMyAdmin and changed his username to English. In result...he could use the link! Again, I've never approved him. Anyway, indeed he was e-mailed a link to reset his password and did so. At this point I've logged on Geeklog myself...and saw him on the users' list as if I approved him. While his profile led to index.php (read: didn't exist), I could edit his details and nothing was clicked (not even "All Users").
Before deleting him via Geeklog and stopping this madness, I took one more look in PHPMyAdmin and saw that he only showed up in gl_users - not in any of the other gl_userX tables.
He (as he later told me) used Hebrew letters and in result got a strange MySQL error. Same for when he tried to click the "Forgot Your Password?" link.
At this point I'd like to remind you that I have never even approved him so Geeklog shouldn't have even let him use that link!
I immediately went to PHPMyAdmin and changed his username to English. In result...he could use the link! Again, I've never approved him. Anyway, indeed he was e-mailed a link to reset his password and did so. At this point I've logged on Geeklog myself...and saw him on the users' list as if I approved him. While his profile led to index.php (read: didn't exist), I could edit his details and nothing was clicked (not even "All Users").
Before deleting him via Geeklog and stopping this madness, I took one more look in PHPMyAdmin and saw that he only showed up in gl_users - not in any of the other gl_userX tables.
17
20
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
First of all: The responsible thing to do if you suspect a security issue would be to email our security list, geeklog-security@lists.geeklog.net. Please try to remember this for the future. Thanks.
I'm not sure why the Hebrew username would cause all these problems, but I can at least explain what happened: The new users entry in the gl_users table was created, but then Geeklog couldn't get the uid for that new entry and failed to create the entries in the other user tables. The fact that the user should be "queued" is only stored at the end of the function that creates the new account - which Geeklog never reached because of the SQL errors.
So this is indeed something that we're doing wrong. Nice find. I've provided a version now that stores the "user is queued" information right when the new entry in the gl_users table is created and also added a sanity check to abort the account creation if we can't get the uid of the new account.
An updated version of lib-user.php (for Geeklog 1.3.11sr1) is available from CVS (use the "Download" link in the upper right corner).
bye, Dirk
I'm not sure why the Hebrew username would cause all these problems, but I can at least explain what happened: The new users entry in the gl_users table was created, but then Geeklog couldn't get the uid for that new entry and failed to create the entries in the other user tables. The fact that the user should be "queued" is only stored at the end of the function that creates the new account - which Geeklog never reached because of the SQL errors.
So this is indeed something that we're doing wrong. Nice find. I've provided a version now that stores the "user is queued" information right when the new entry in the gl_users table is created and also added a sanity check to abort the account creation if we can't get the uid of the new account.
An updated version of lib-user.php (for Geeklog 1.3.11sr1) is available from CVS (use the "Download" link in the upper right corner).
bye, Dirk
13
15
Quote
Status: offline
LWC
Forum User
Full Member
Registered: 02/19/04
Posts: 818
Sorry, I didn't know about the list. If something like this happens, should I only e-mail the list or also post it on the forum?
Thanks for the fix. What would the user see should he try to use foreign letters for the username now?
Thanks for the fix. What would the user see should he try to use foreign letters for the username now?
13
16
Quote
All times are EST. The time is now 11:36 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content