Follow glFusion on Facebook Follow glFusion on Twitter
Sign Up!
Login Welcome to glFusion
Thursday, March 11 2010 @ 06:04 PM CST
Share

Possible SQL Injection Vulnerability - glFusion v1.1.3

Thursday, April 09 2009 @ 12:46 PM CDT

Contributed by: Mark

An exploit has been published for Geeklog <= 1.5.2 that performs a SQL injection attack to compromise a user's password hash and masquerade (automatically login) as an admin user.  This exploit could be adapted to work on glFusion as well.  Although glFusion v1.1.3 is not vulnerable to the user masquerading exploit using the password hash in the long term cookie, it is still important to patch this vulnerability to ensure there are no other holes available to an attacker.

We have updated 3 key files in glFusion to help prevent SQL injection exploits:

private/system/lib-security.php

private/system/lib-sessions.php

private/system/lib-webservices.php

It is recommended that you update your site as soon as possible with these updates.

NOTE: This exploit takes advantage of the Remote Webservices featue of glFusion which is enabled by default.  You can turn off webservices by going into the Online Configuration System - Miscellaneous - set Disable Webservices to true.  This will prevent this specific exploit from succeeding.

These fixes should only be applied to glFusion v1.1.3.

  • Currently 0.00/5
Rating: 0.00/5 (0 votes cast)

What's Related

Story Options

Navigation

My Account





Sign up as a New User
Lost your password?

What's New

Stories


Comments last 2 days

No new comments

DokuWiki last 2 days

No new items

Files last 14 days

Syndication

New Articles
New Comments
New Forum Posts
Latest File Uploads
Wiki Updates
Known Issues/Updates

Want to Help?

Join the Dev Community today! Interested in helping out?
Join our Dev Community!

Support glFusion

Vote for glFusion at opensourcecms.com