Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Friday, May 16 2008 @ 02:19 AM EDT
   

Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates

Sunday, October 12 2003 @ 02:30 PM EDT
Contributed by: Dirk
Views: 4,730
Security

In response to the recent reports about (confirmed and unconfirmed) security issues in Geeklog, we are releasing updates to Geeklog 1.3.8-1sr1 and 1.3.7sr3, addressing most of these issues (but not all - see below for details). There's also a complete 1.3.8-1sr1 tarball that should be used for fresh installs.

The upgrades include Ulf Harnhammar's kses HTML filter to address possible Javascript injections and CSS defacements.

As for the (still unconfirmed) SQL injections, the upgrades include a fix to the database class that does not display SQL errors in the browser any more (they are only logged in Geeklog's error.log). While this does not safe from SQL injection attempts, it does at least avoid disclosing any sensitive information as part of the error message.

Furthermore, we do not at this time recommend to use Geeklog with MySQL 4.1 (which, I may add, is still in alpha state and thus shouldn't be used on production sites anyway). An upcoming release of Geeklog will address the remaining SQL issues, including any problems with MySQL 4.1.

A few notes on upgrading: You only need to upload the files included in the upgrade archives to your site. Don't forget to change the path to config.php in the included lib-common.php. As for the config.php itself, you can either use the one included in the archives and change all your settings in there or you can simply copy over the two new variables, $_CONF['user_html'] and $_CONF['admin_html'], to your existing config.php. In the latter case, don't forget to change the version number (near the end of config.php), too.

You do not need to run the install script again.

Please make sure to pick the correct upgrade file for your installation. If you're running Geeklog 1.3.8-1, use the 1.3.8-1sr1 upgrade archive. If you're on Geeklog 1.3.8, you will need to upgrade to 1.3.8-1 first.

Users running on Geeklog 1.3.7sr2 should use the 1.3.7sr3 upgrade archive or use the complete 1.3.8-1sr1 tarball to upgrade to 1.3.8-1sr1 in one step.

In the unlikely event that anyone is still running on any version older than 1.3.7sr2, now would be a good time to upgrade ...

bye, Dirk

 

What's Related

Story Options

Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates | 11 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates
Authored by: destr0yr on Sunday, October 12 2003 @ 08:00 PM EDT
line 3649 of lib-common.php ?
shouldnt it be just COM_allowedHTML() ? 

function COM_COM_allowedHTML()

---
-- destr0yr - "People like you are the reason people like me need medication."

Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates
Authored by: Agent X20 on Sunday, October 12 2003 @ 09:11 PM EDT
Same thing here. Removing the extra COM_ seems to fix it.

Looks like a double up on a search and replace or something. Otherwise upgrade seems to have gone ok (touch wood).
Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates
Authored by: Dirk on Monday, October 13 2003 @ 03:48 AM EDT
Yep, that was a stupid copy'n'paste error in the two 1.3.8 archives (the 1.3.7sr3 tarball does not have it). I've corrected it in the tarballs here on the site now.

Sorry about that.

bye, Dirk
Thanks for 1.3.7sr3
Authored by: ndarlow on Monday, October 13 2003 @ 04:38 AM EDT
Thanks to Dirk for the 1.3.7sr3 update. It's nice to know we don't have to be
using the latest to receive security updates.

Regards,
Neil Darlow
Thanks for 1.3.7sr3
Authored by: jhk on Monday, October 13 2003 @ 07:33 AM EDT
Thanks to the entire team for supporting 1.3.7! :)
Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates
Authored by: ming on Monday, October 13 2003 @ 09:48 AM EDT
is it COM_allowedHTML or COM_allowedhtml in lib-common.php ?
Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates
Authored by: Dirk on Monday, October 13 2003 @ 01:35 PM EDT
Doesn't matter - PHP does not care about uppercase / lowercase in function names.

bye, Dirk
Updates not working
Authored by: Anonymous on Monday, October 13 2003 @ 10:02 AM EDT
Hi,
i was updating my installation ( 1.3.8 ) to the new fixes , i updated the files needed ( the update , not the complete tarball ) and it is not working.
Somebody can help?
Updates not working
Authored by: Anonymous on Monday, October 13 2003 @ 11:20 AM EDT
sure
Updates not working
Authored by: jhk on Monday, October 13 2003 @ 01:12 PM EDT
Not really very descriptive, are you? ;)

Good starting points:
- Platform
- Error messages from logs (eg. /var/log/messages under LAMP)
- Permissions for the updated files
Updates not working
Authored by: vinny on Monday, October 13 2003 @ 10:06 PM EDT
Don't forget to update your config.php file...

-Vinny
© 2002-2008 Geeklog
Created this page in 0.43 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com