Geeklog could allow an unprivileged user to gain administrator privileges

geeklog-default-admin-privileges (7780) The risk level is classified as MediumMedium Risk

Description:

Geeklog could allow an unprivileged user to gain administrator privileges. By default, the first user to create an account after the installation of Geeklog is granted full administrative privileges.


Consequences:

Gain Privileges

Remedy:

Upgrade to the latest version of Geeklog (1.3.1 or later), available from SourceForge Web site. See References.

As a workaround, in the admin/users.php page uncheck the GroupAdmin and UserAdmin check boxes for the user with UID 13.

References:

  • BugTraq Mailing List, Thu Jan 03 2002 - 22:37:14 CST: Vulnerability in new user creation in Geeklog 1.3.
  • SourceForge.net: Geeklog.
  • BID-3783: Geeklog New User Default Admin Privileges Vulnerability
  • CVE-2002-0096: The installation of Geeklog 1.3 creates an extra group_assignments record which is not properly deleted, which causes the first newly created user to be added to the GroupAdmin and UserAdmin groups, which could provide that user with administrative privileges that were not intended.
  • OSVDB ID: 2016: Geeklog New User Default Admin Privileges

Platforms Affected:

  • Geeklog Geeklog 1.3

Reported:

Jan 03, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page