Vulnerability in new user creation in Geeklog 1.3

["Woody Hughes" <woody () thewoodman org>]

I have discovered a serious security flaw with new user creation in the
latest version of Geeklog--Version 1.3 on December 30th, 2001.

Product Information: Geeklog is a popular weblog. It allows you to
create your own virtual community area, complete with user
administration, story posting, messaging, and other nice features.

Vulnerability: When the first, new user is created during a fresh
installation of Geeklog, that regular user is assigned to the GroupAdmin
Group, and subsequently, is a member of the UserAdmin Group. This is a
major issue, because if the website is rolled out to the public, in
theory, the first new user registered would have Admin rights, which
would allow the new user to have control over Geeklog, and subsequently,
the entire website.

I have submitted a bug report to the author, in order to give him ample
time in fixing this issue. It has been fixed, and posted today at the
geeklog website at http://www.geeklog.org

Fix: Per Geeklog's website: If you already have installed a fresh
version of Geeklog 1.3 then you need to edit the user with a uid of 13.
To get that, do a "SELECT username FROM users WHERE uid = 13" in your
favorite MySQL editor. Then in the admin/users.php page edit that user
and uncheck both the GroupAdmin Group AND the UserAdmin Group and be
sure to leave the Normal User and Logged-in User boxes checked. 


--
Regards,

Woody Hughes
Sr. Information Security Analyst
Security Product Services
Corporate Information Protection
Wells Fargo
-------------------------------
woody () thewoodman org
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GE d-(++) s+:++>s+:- a27>-- C++++ UBLS++++$ P+>+++++ L++++$ E---- W++ N
o? K? w O(-) M-(--) V->V PS---(+) PE--(PE) Y+(Y) PGP++ t 5 X R(+) tv+
b>+++ DI+++ D+ G-- e* h---- r++++ y?
------END GEEK CODE BLOCK------
http://www.geekcode.com