Geeklog - Geeklog 1.3.7 Security Issues (and update)

Geeklog 1.3.7 Security Issues (and update)

Monday, January 13 2003 @ 11:20 AM EST
Contributed by: Dirk
Views: 4,083

Several security issues have been found in Geeklog (see below for details). We are therefore releasing Geeklog 1.3.7sr1 as well as an upgrade archive. If you are running Geeklog 1.3.7, you can use the upgrade archive to replace just those files that are affected.

The complete Geeklog 1.3.7sr1 tarball includes other fixes, e.g. all URLs in the documentation and the code have now been updated to point to geeklog.net.

The following security issues have been found in Geeklog 1.3.7 but are most likely in previous versions as well:

Possible injection of Javascript code in the homepage URL field of a user's profile (reported by Jin Yean Tan).
Possible injection of Javascript code in certain URLs which could then be used in a cross-site scripting attack (reported by Jin Yean Tan).
Users without Admin privileges could delete comments.
Admins could bypass permissions in their Admin area, so that e.g. StoryAdmins could manipulate any story even if permissions where set up to not let them do that. Applies to Admins for stories, links, events, polls, topics, and blocks (reported by Kobaz).

All Geeklog users are strongly encouraged to upgrade their sites.

bye, Dirk

Geeklog 1.3.7 Security Issues (and update) | 18 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

No changes in comment.php?

Authored by: abloch on Monday, January 13 2003 @ 01:38 PM EST

The comment.php iin the upgrade archive has not changed. Was it
included accidentally or is it the wrong version?

Authored by: Dirk on Monday, January 13 2003 @ 02:24 PM EST

Thanks for spotting that. Seems like the changes to comment.php were lost when we moved the CVS from Sourceforge to our own server.

I have updated both the full and the upgrade archive with the correct versions now. If you've already downloaded the previous version of one of the tarballs, you could download the upgrade archive and take comment.php from there.

Make sure your version has this Id string (line 34):

// $Id: comment.php,v 1.38 2003/01/13 18:54:45 dhaun Exp $

Sorry about that :-(

Authored by: Vitaeman on Monday, January 13 2003 @ 02:39 PM EST

I seem to be having a slight issue changing the Copyright date. If I put 2000-2003 it wil be displayed as -3.

Authored by: Tony on Monday, January 13 2003 @ 03:22 PM EST

That's because, obviously, it is doing math. Do somethign like:

'2000-2003'

--Tony

---
The reason people blame things on previous generations is that there's only one other choice.

Authored by: Vitaeman on Monday, January 13 2003 @ 03:34 PM EST

figures it would be something I forgot to add.. Oh man what a typical Monday lol

Authored by: thedude on Monday, January 13 2003 @ 06:02 PM EST

Hi Dirk..

I seem to be having issue trying to untar the upgrade archive..

Here is the error.
Error Reading header after processing 0 entries..

Try it on 2 different machines with the same error.. Is it just me? Please advise..

Thanks,
The Dude

Authored by: Tony on Monday, January 13 2003 @ 09:17 PM EST

Did you use "tar -xvzf <filename>.tar.gz"?

---
The reason people blame things on previous generations is that there's only one other choice.

Authored by: Anonymous on Tuesday, January 14 2003 @ 01:07 AM EST

I used winzip to untar this one just like I untar any other Geeklog files... Not sure why this one doesn't work. Well, at least I know the file is good so I gotta figure out what the heck is going on. Thanks anyway...

Cheers,

The Dude

Authored by: Creator on Tuesday, January 14 2003 @ 11:16 AM EST

WinZip does not handle .tar files very well. Sometimes it messes up the files inside the archive. Use WinACE, is your best bet.

---
L. Whitworth
www.finiserv.com

Authored by: thedude on Friday, January 17 2003 @ 02:05 AM EST

Thanks Dude.

Authored by: Dirk on Tuesday, January 14 2003 @ 04:06 AM EST

It seems there was something wrong with the upgrade file. Try again now.

bye, Dirk

Authored by: thedude on Friday, January 17 2003 @ 02:06 AM EST

That fixed it..

Thanks Dirk man....

Authored by: rav on Tuesday, January 14 2003 @ 05:39 PM EST

I've applied the patch, but when I click the "GL Version Test" link in the admin section, I get the following message:

You are running either an old version of Geeklog OR you are running a beta version. The current version of Geeklog is 1.3.7sr1. If you are running an older version of Geeklog you are encouraged to upgrade now.

I thought I just upgraded?

Authored by: JW on Tuesday, January 14 2003 @ 07:43 PM EST

Same here. It does not matter very much, but I will follow the postings.

JW

Authored by: Anonymous on Tuesday, January 14 2003 @ 09:13 PM EST

You only applied the security fixes and not the other little bug fixes that are also part of this release. In the security upgrade, an updated config.php is not included. This is the file where the current Geeklog version is located. That's why when you click that link it shows you're running an older version.

If it bothers you that much either go in and change the version number in your config or download the whole change and swap that file out. However, realize there are some other minor changes in that file and some others which aren't included in the security upgrade.

Geeklog 1.3.7 Apache2

Authored by: garyfoulds on Friday, January 17 2003 @ 10:38 AM EST

It appears that there are problems using geeklog with apache2

it apears that something escapes the " in most pages
I first noticed this when installing, I was not offered any of the submit boxes as they were escaped with \" and hence they would not display the buttons, while I got passed this stage and completed the installation. upon loading the first page I noticed that the search add search buttons displayed at the top of the page suffered from the same problem

Also the links display and connect to http://www.myserver.com/"http://www.myserver.com"

any suggestions as to why this is happening and what fix could be done to correct the problem

Authored by: Dirk on Friday, January 17 2003 @ 11:46 AM EST

Please provide some more information about your setup. Which version of Apache 2 exactly? Which version of PHP? PHP support for Apache 2 is still considered "experimental" by the PHP developers, although I heard it seems to work reasonably well if you use at least PHP 4.3.0.

Also, the fact that you get escaped quotes all over the place seems to point to magic_quotes_runtime being "on" in your php.ini. Try setting that to "off".

bye, Dirk

Authored by: Anonymous on Friday, January 17 2003 @ 04:57 PM EST

it sure was... thanks for that saved me hours of looking

thanks again

Resources

Sections

User Functions

What's New

STORIES

COMMENTS last 2 days

TRACKBACKS last 2 days

NEW FILES last 14 days

LINKS last 2 weeks

Older Stories

Monday 17-Mar

Tuesday 08-Jan

Saturday 29-Dec

Tuesday 04-Dec

Sunday 04-Nov

Geeklog 1.3.7 Security Issues (and update)

What's Related

Story Options