Geeklog - Security Flaw in Geeklog/Gallery Plugin

Security Flaw in Geeklog/Gallery Plugin

Tuesday, December 09 2003 @ 10:48 PM EST
Contributed by: Tony
Views: 9,077

Those of you Geeklog users who use the Geeklog/Gallery plugin are being advised of a security issue that arises as a result of PHP's register_globals being on. As we explain here we do require register_globals to be on but Geeklog manages this securely. However, the Geeklog/Gallery plugin does not. To be 100% clear, this advisory does not effect Geeklog sites which do not use the Gallery plugin.

For those of you using the Geeklog Gallery plugin, you should comment all references to $GEEKLOG_DIR in the plugin. Instances of this can be found in:

/path/to/geeklog/gallery_dir/init.php
/path/to/geeklog/gallery_dir/classes/geeklog/UserDB.php
/path/to/geeklog/gallery_dir/classes/geeklog/User.php
There are four lines total you will need to address. The first occurance in init.php where $GEEKLOG_DIR gets set which is simply fixed by commenting it out. As for theoccurances of

require_once($GEEKLOG_DIR . 'lib-common.php');

be sure to replace the entire string with

require_once '/path/to/geeklog/public_html/lib-common.php';

Hopefully this is clear to everyone. In the meantime, we are contacting the maintainer of the Geeklog/Gallery plugin to make the necessary fix.

Security Flaw in Geeklog/Gallery Plugin | 14 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Authored by: TechFan on Tuesday, December 09 2003 @ 11:29 PM EST

I am just hoping we can fix this so that the path only has to be statically entered in one place?

Authored by: amckay on Wednesday, December 10 2003 @ 09:46 AM EST

You could pick a random string of letters to replace "GEEKLOG_DIR" with in all instances. You'd still be vulnerable, but not unless someone guessed your random string.

But really 4 or 5 places is not that big a deal.

Authored by: TechFan on Tuesday, December 09 2003 @ 11:56 PM EST

Btw, I think you were probably intending to say that GEEKLOG_DIR is defined in gallery's config.php (at least that is where I have always read to put it) instead of init.php

Authored by: Tony on Wednesday, December 10 2003 @ 09:05 AM EST

The newer versions of the plugin don't require you to edit anything so you are right, if you have a older version where you added it to config.php then you need to make the necessary fixes. To be safe everyone should grep GEEKLOG_DIR in their gallery folder.

---
The reason people blame things on previous generations is that there's only one other choice.

Authored by: rngreen on Wednesday, December 10 2003 @ 11:19 AM EST

The story is here, It makes for very good reading (forensicly)

Authored by: Tony on Wednesday, December 10 2003 @ 12:53 PM EST

Err, I already posted a link to that in my original post. But you are right, this was definitely interesting to see them track down.

---
The reason people blame things on previous generations is that there's only one other choice.

Authored by: tesn on Wednesday, December 10 2003 @ 12:59 PM EST

I had a little trouble finding the 4th line to change...It is in the init.php at or near line 98 (for me) You need to comment it out.

$GEEKLOG_DIR = $gallery->app->default["geeklog_dir"];

---
John

Authored by: Tony on Wednesday, December 10 2003 @ 03:07 PM EST

Sorry, that is what I meant when I said:
The first occurance in init.php where $GEEKLOG_DIR gets set which is simply fixed by commenting it out

---
The reason people blame things on previous generations is that there's only one other choice.

FIX

Authored by: vinny on Wednesday, December 10 2003 @ 09:56 PM EST

All that is required to correct this vulnerbility is to remove the line:

require_once($GEEKLOG_DIR . '/lib-common.php');

From the files User.php and UserDB.php in the gallery\classes\geeklog folder.

The other locations where $GEEKLOG_DIR is found are preceded by an "include('config.php');" which eliminates the security risk in those areas. (This is because the $GEEKLOG_DIR variable is assigned a value in the config.php file overriding any value passed by GET or POST). It might not be a bad idea to check to be sure that $GEEKLOG_DIR is in the config.php file (though the integration will not work without its presence).

I'll put together an update which addresses these problems as soon as I can (perhaps as soon as this weekend). By early next year I'll try to complete a security audit of the geeklog/gallery integration code to try to eliminate all security problems.

I appologize to those affected by this problem and I hope that not many machines were compromised as result of this problem. I don't know how long this vulerbility has been in the code, but it has been there for more than a year (since before I began to work on the integration).

-Vinny

Authored by: destr0yr on Thursday, December 11 2003 @ 02:01 AM EST

Will this be with the current 1.4pl-2, or the 1.4.1 release of Gallery?

---
-- destr0yr - "People like you are the reason people like me need medication."

Authored by: vinny on Thursday, December 11 2003 @ 05:20 PM EST

I'll use the whatever the most current released version of gallery is at the time (most likely 1.4.1).

-Vinny

Authored by: destr0yr on Friday, December 12 2003 @ 06:55 PM EST

you rock!

---
-- destr0yr - "People like you are the reason people like me need medication."

Authored by: amckay on Thursday, December 11 2003 @ 02:08 PM EST

Hey vinny, don't sweat it. Love the software and am very thankful to you for working on it!

Authored by: thedude on Monday, December 15 2003 @ 01:19 AM EST

Hi Vinny.

No worries man. You did a great job for the Geeklog/Gallery integration. Loving it.

Thanks man.

The Dude

Resources

Sections

User Functions

What's New

STORIES

COMMENTS last 2 days

TRACKBACKS last 2 days

NEW FILES last 14 days

LINKS last 2 weeks

Older Stories

Monday 17-Mar

Tuesday 08-Jan

Saturday 29-Dec

Tuesday 04-Dec

Sunday 04-Nov

Security Flaw in Geeklog/Gallery Plugin

What's Related

Story Options