Geeklog 1.3.7 Security Issues (and update)

Monday, January 13 2003 @ 11:20 AM EST

Contributed by: Dirk

Several security issues have been found in Geeklog (see below for details). We are therefore releasing Geeklog 1.3.7sr1 as well as an upgrade archive. If you are running Geeklog 1.3.7, you can use the upgrade archive to replace just those files that are affected.

The complete Geeklog 1.3.7sr1 tarball includes other fixes, e.g. all URLs in the documentation and the code have now been updated to point to geeklog.net.

The following security issues have been found in Geeklog 1.3.7 but are most likely in previous versions as well:

  1. Possible injection of Javascript code in the homepage URL field of a user's profile (reported by Jin Yean Tan).
  2. Possible injection of Javascript code in certain URLs which could then be used in a cross-site scripting attack (reported by Jin Yean Tan).
  3. Users without Admin privileges could delete comments.
  4. Admins could bypass permissions in their Admin area, so that e.g. StoryAdmins could manipulate any story even if permissions where set up to not let them do that. Applies to Admins for stories, links, events, polls, topics, and blocks (reported by Kobaz).

All Geeklog users are strongly encouraged to upgrade their sites.

bye, Dirk

Comments (0)

Geeklog
http://www.geeklog.net/article.php/20030113091414940