Geeklog contains a flaw in the way it controls passwords and session control. If a remote user can obtain the password hashes (trivial through XSS attacks), they can store the information on their computer as their own cookie and automatically log in as arbitrary users. When changing "their" password, Geeklog does not ask for the old password as verification, allowing the remote attacker to effectively hijack any account.
Classification
Unknown or Incomplete
Technical
Note: This vulnerability can only be exploited in conjunction with another such as a cross-site scripting (XSS) attack. As of version 1.3.8-1sr4, there are no known/published XSS vulnerabilities in this version of Geeklog.
Solution
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.
Blogs
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
