Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Geeklog Remote Code Execution Vulnerability

Subscribe

Check Point Reference: CPAI-2006-084
Date Published:
Severity:
Last Updated:
Source: SecurityFocus
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Geeklog 1.4.0sr3
Vulnerability Description
Geeklog is a PHP/MySQL based application for managing dynamic web content. Geeklog CMS fails to validate multiple file extensions, potentially allowing a remote attacker to upload malicious script code, which will be executed in the context of the webserver process.
Vulnerability Details
A file upload vulnerability exists in Geeklog CMS. An attacker may compromise the application by uploading and executing malicious PHP scripts with arbitrary filename extensions, taking advantage of the fact that the application does not properly sanitize multiple file extensions.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update of July 13, 2006 includes the following protections:

WebAttacker Spyware Protection (CPAI-2006-083)
Geeklog Remote Code Execution Protection (CPAI-2006-084) 
Cisco CallManager XSS Protection (CPAI-2006-085) 
Plume CMS Manager Protection (CPAI-2006-086)
ASP.Net Information Disclosure Protection (MS06-033) - CPAI-2006-087
Spyware Installer malware Protection

VPN-1 NGX R61

How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, click Download Updates and then click the Online Update button.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

GeekLog Remote Code Execution Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: GeekLog Remote Code Execution Vulnerability
 
 

VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Geeklog Remote Code Execution Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Geeklog Remote Code Execution Vulnerability

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
3. Enable the following pattern:

Geeklog Remote Code Execution Vulnerability

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Geeklog Remote Code Execution Vulnerability

VPN-1 VSX NGX

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Geeklog Remote Code Execution Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Geeklog Remote Code Execution Vulnerability

InterSpect NGX

How Can I Protect My Network?
1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
3. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
4. Enable the following pattern:

Geeklog Remote Code Execution Vulnerability

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Geeklog Remote Code Execution Vulnerability

InterSpect 2.0

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Web > General HTTP Worm Defender.
3. Enable the following pattern:

Geeklog Remote Code Execution Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Geeklog Remote Code Execution Vulnerability