Geeklog 1.3.8-1sr2

Authored by: jhk on Tuesday, October 14 2003 @ 05:33 PM EDT

Well done, GL Developers, for fixing it.
Well done, Jouko Pynnonen, for being a responsible security auditor. (Nothing in "Full-Disclosure" or "Bugtraq" before the devs get a chance to release patches). :)

[ Reply to This | # ]

Authored by: barrywong on Wednesday, October 15 2003 @ 03:35 AM EDT

Hi

I upgraded my GL with both patches.

When I login as a user or even as Admin and click Contribution, I get this error message:

Fatal error: Call to undefined function: com_allowedhtml() in /home/www/htdocs/barry/www/admin/story.php on line 360

Can you please tell me what went wrong?

[ Reply to This | # ]

Authored by: barrywong on Wednesday, October 15 2003 @ 03:50 AM EDT

I think I got it. I must have downloaded an old copy of SR1 which still uses COM_COM_allow. I deleted the additional COM_ and problem disappeared.

Sorry for raising the problem. Silly me.

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, October 14 2003 @ 05:45 PM EDT

Can we upgrade straight to sr2 from 1.3.8-1, or do we need to apply SR1 first?

Thanks! :D

[ Reply to This | # ]

Authored by: Blaine on Tuesday, October 14 2003 @ 06:17 PM EDT

The SR2 upgrade only has the one files users.php and a readme file.

[ Reply to This | # ]

Authored by: barrywong on Tuesday, October 14 2003 @ 09:55 PM EDT

Hi Blaine

Sorry, still confused.

I haven't downloaded 1.3.8-1sr1 and therefore don't really know what files are in there and if the users.php in 1.3.8-1sr2 will cure this security problem.

Can you please clarify if we need to only do the upgrade:
1. directly with 1.3.8-1sr2, or do we have to
2. do 1.3.8-1sr1 first and then 1.3.8-1sr2

Sorry, for non-techies like us, this is a little confusing. Thanks

[ Reply to This | # ]

Authored by: Blaine on Tuesday, October 14 2003 @ 10:10 PM EDT

Barry,

If you are running 1.3.8 then you should upgrade to SR1 first. It contains other needed security related fixes.

SR2 is just the users.php and needs to be applied after the SR1 upgrade.

SR2 is only requried for GL 1.3.8 since it addresses the password feature added with the GL 1.3.8 release.

[ Reply to This | # ]

Authored by: Dirk on Wednesday, October 15 2003 @ 01:57 AM EDT

If you're using the various upgrade archives available, you will need to apply them in the order they were released:

1.3.8 -> 1.3.8-1 -> 1.3.8-1sr1 -> 1.3.8-1sr2

bye, Dirk

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, October 14 2003 @ 07:49 PM EDT

In the article you mention :"letting an attacker change the password for any account." . I wonder if an attacker possible to get my existing password. Since if they do, I have to change my existing password, if not, and my password haven't been changed, means my system is clean.


Great work!

tks

[ Reply to This | # ]

Authored by: Dirk on Wednesday, October 15 2003 @ 01:55 AM EDT

Geeklog doesn't even store your password - it only stores an md5 hash of it.

bye, Dirk

[ Reply to This | # ]

Authored by: MathFox on Wednesday, October 15 2003 @ 02:20 PM EDT

All thanks for the releases to the geeklog team!
Those that applied the update from 1.3.8-1sr1 to 1.3.8-1sr2 can change the version in config.php:

if (!defined ('VERSION')) {
define('VERSION', '1.3.8-1sr2');
}

---
see http://www.groklaw.com/

[ Reply to This | # ]

Authored by: wyeung on Friday, October 17 2003 @ 09:13 PM EDT

Dear expert,

Sorry for asking silly questions, but I cannot locate any hint..

How do I apply the patch?
I downloaded the 1.3.8-1sr1 and 1.3.8-1sr2 patch but do not know how to apply them.

Could someone show me the way?

Many thanks
Wilson

[ Reply to This | # ]

Authored by: Dirk on Saturday, October 18 2003 @ 12:14 PM EDT

Sorry, I thought it was obvious: Upload the files that are included in the upgrade archive to your website, replacing the (older) files of the same name there.

Of course, you will need to make that one change in lib-common.php again before uploading it. As for the config.php, you'll either have to edit the copy from the upgrade archives before you upload it or you will need to add the changes to your existing copy (as explained in the article about the 1.3.8-1sr1 update).

bye, Dirk

[ Reply to This | # ]

Authored by: emagin on Sunday, October 19 2003 @ 02:44 AM EDT

I have to do more testing, but it appears that HTML Area no longer works after this upgrade.

When I choose Contribute, I get a blank page.

[client ...] PHP Fatal error: Call to undefined function: com_allowedhtml() in c:....\public_html\admin\story.php on line 360

[ Reply to This | # ]

Authored by: Dirk on Sunday, October 19 2003 @ 04:04 AM EDT

It seems you've got one of the faulty 1.3.8-1sr1 archives. In lib-common.php, search for COM_COM_allowedHTML and change it to COM_allowedHTML.

bye, Dirk

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, October 21 2003 @ 12:03 PM EDT

HTML Area works fine after upgrade, for me. You need to set the allowable HTML codes in config.php. It uses different way of allowing, but it should be quite easy to figure out.

Sam

[ Reply to This | # ]

Authored by: emagin on Tuesday, October 21 2003 @ 07:35 PM EDT

Thanks Dirk, yes, it was the funky -sr1, once I updated the COM_COM it works fine.
Every day I smile some more. This stuff just rocks!

[ Reply to This | # ]

Authored by: Anonymous on Saturday, October 18 2003 @ 07:57 AM EDT

you guys should release diffs so that people can just apply them rather then manually copying files (unless its most of a file....)
Just a suggestions

[ Reply to This | # ]

Authored by: Blaine on Saturday, October 18 2003 @ 11:47 AM EDT

Diff's may be fine for proficient UNIX site admin's but it's not so easy for Windows users since there is no nice OS patch like command that understands diff formated files.

You can always view a diff from CVS. The online web interface should even show you a diff from any two versions that you want.

The upgrade notes show the effected files

For most users, they don't want a lot of options and steps. Replacing the file is the easiest. For others that have custom changes (such as myself at times), I will just run a local diff on the changed file.

Just my $0.02

[ Reply to This | # ]

Authored by: Anonymous on Monday, October 20 2003 @ 06:30 AM EDT

heh heh i didn't mean JUST diffs... but ya i never thought of the webcvs interface..... i'll have to start doing that....

[ Reply to This | # ]

Authored by: Anonymous on Tuesday, October 21 2003 @ 09:50 AM EDT

WOW!! i did some major diff'ing from CVS.. there is quite a few files (mind you i'm diffing from the current cvs) that weren't included in the upgrade -sr* patches, as well as a few variables in the config.php that aren't mentioned to add.

[ Reply to This | # ]

Authored by: Anonymous on Thursday, October 23 2003 @ 11:34 AM EDT

well cvs is the latest and greatest. they have those branches is what you would want to look for.

[ Reply to This | # ]

Authored by: g3cko on Thursday, October 23 2003 @ 12:46 PM EDT

i'm impressed.. they've done a PILE of changes that look to be compatting XSS and SQL injections.....

[ Reply to This | # ]