Geeklog Forums

hey,
a few minutes ago milworm posted this exploit code for geeklog 1.4.
http://www.milw0rm.com/exploits/1963

i would like to know if the current stable GL version 1.4.0sr3 is also affected.

txh in advance!

The "plugins" directory should always be located outside of the webroot so that it is not accessible via a URL - and then all those "exploits" wouldn't work.

For the sake of people not following the installation instructions, we have already been fixing these things in CVS but they are still present in 1.4.0sr3, i.e. the current version.

Related information: Installing Geeklog entirely within the web root

bye, Dirk

Just an FYI, but I'm already seeing the script kiddies hitting my sites with these attempts. They are not having any success, but it doesn't take long for them to start trying!

Thanks!
Mark

Same here, including silly things like /index.php/plugins/... which just confirms that they are entirely clueless.

Btw, forgot to mention: The above "exploit" also lists all the plugin's functions.inc files as vulnerable. But .inc files aren't normally executed.

bye, Dirk

"They" uploaded a file into my geeklog system directory, for what it's worth. It *WAS* accessible through a URL. I've fixed it on ONE of many of my sites.

http://www.milw0rm.com/exploits/1964

now i am scared ...

i have deactivated the advanced editor.

After careful considerations, I have decided not to run the fckeditor on my site. Our users will just have to make due with what is provided until this glitch is finally resolved.

Okay, that looks like a real problem. And it's not enough to disable FCKeditor (which isn't enabled by default, as the exploit claims), as this goes directly to the files.

I'd suggest you remove the entire 'filemanager' subdirectory, i.e. /path/to/geeklog/public_html/fckeditor/editor/filemanager and disable 'mcpuk' in the FCKeditor config file (fckconfig.js): Set FCKConfig.LinkBrowser, FCKConfig.ImageBrowser, and FCKConfig.FlashBrowser = false (each of them).

Afterwards, check the /images/library subdirectories for suspicious files, especially ones containing "suntzu" in their name.

If you still want to use FCKeditor, you will have to live without its upload capabilities for now (or upgrade to FCKeditor 2.3 - instructions can be found elsewhere in the forum).

bye, Dirk

(edit: the directory name is 'filemanager', not 'filebrowser')

i had the "suntzu" files in my images/File dir but the exploit itself didn`t work (tested)

shell_execution is disallowed on my server.

i have chmod 000 the fckeditor dir now an i am going to update it when i have a little piece of time.

thank you for this great software and let us hope that there are no more lacks of security in the code.