Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Geeklog Permanent Cookie Account Hijacking Vulnerability

Geeklog Permanent Cookie Account Hijacking Vulnerability

by Nikola Strahija on January 12th, 2002 Geeklog is freely available, open-source weblog software. It allows users to create a virtual community area, complete with user administration, story posting, etc. It is possible to edit the UID in the cookie to that of another user to gain access to their account. This issue can be exploited to gain an administrative account with the service.


Geeklog is freely available, open-source weblog software. It allows users to create a virtual community area, complete with user administration, story posting, etc. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL.

Geeklog can be configured to issue a permanent cookie. This cookie is used as an authentication credential during future visits to the site running Geeklog. The cookie contains a UID, which Geeklog uses to determine which user to authenticate. It is possible to edit the UID in the cookie to that of another user to gain access to their account.

This issue can be exploited to gain an administrative account with the service.

This vulnerability was introduced into Geeklog 1.3 as an oversight in design.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »