Geeklog could allow an unprivileged user to gain administrator privileges

geeklog-default-admin-privileges (7780) The risk level is classified as MediumMedium Risk

Description:

Geeklog could allow an unprivileged user to gain administrator privileges. By default, the first user to create an account after the installation of Geeklog is granted full administrative privileges.

Platforms Affected:

  • Geeklog, Geeklog 1.3

Remedy:

Upgrade to the latest version of Geeklog (1.3.1 or later), available from SourceForge Web site. See References.

As a workaround, in the admin/users.php page uncheck the GroupAdmin and UserAdmin check boxes for the user with UID 13.

Consequences:

Gain Privileges

References:

  • BugTraq Mailing List, Thu Jan 03 2002 - 22:37:14 CST, Vulnerability in new user creation in Geeklog 1.3 at http://archives.neohapsis.com/archives/bugtraq/2002-01/0028.html.
  • SourceForge.net, Geeklog at http://geeklog.sourceforge.net/.
  • BID-3783: Geeklog New User Default Admin Privileges Vulnerability
  • CVE-2002-0096: The installation of Geeklog 1.3 creates an extra group_assignments record which is not properly deleted, which causes the first newly created user to be added to the GroupAdmin and UserAdmin groups, which could provide that user with administrative privileges that were not intended.

Reported:

Jan 03, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page