Follow glFusion on Facebook

Follow glFusion on Twitter

User Settings SQL Injection Vulnerability - glFusion v1.1.3

Thursday, April 16 2009 @ 10:43 AM CDT

Contributed by: Mark

Another exploit has been published for Geeklog <= 1.5.2 that performs a SQL injection attack in the usersettings.php to compromise a user's password hash and masquerade (automatically login) as that user (including Admin accounts). This exploit could be adapted to work on glFusion as well.

Although glFusion v1.1.3 is not vulnerable to the user masquerading exploit using the password hash in the long term cookie, it is still important to patch this vulnerability to ensure there are no other holes available to an attacker.

public_html/usersettings.php

This fix should only be applied to glFusion v1.1.3.

Currently 0.00/5

Rating: 0.00/5 (0 votes cast)

What's Related

Story Options

Navigation

My Account

Sign up as a New User
Lost your password?

What's New

Stories

Comments last 2 days

No new comments

DokuWiki last 2 days

Files last 14 days

Syndication

New Articles
New Comments
New Forum Posts
Latest File Uploads
Wiki Updates
Known Issues/Updates

Want to Help?

Join the Dev Community today!

Interested in helping out?
Join our Dev Community!

Support glFusion

Vote for glFusion at opensourcecms.com

Arabic

Bulgarian

Catalan

Chinese Simplified

Chinese Traditional

Croatian

Czech

Danish

Dutch

Filipino

Finnish

French

German

Greek

Hebrew

Hindi

Indonesian

Italian

Japanese

Korean

Latvian

Lithuanian

Norwegian

Polish

Portugese

Romanian

Russian

Serbian

Slovak

Slovenian

Spanish

Swedish

Ukrainian

Vietnamese