The secure CMS.
Resources
Topics
- Home
- Development (317)
- Geeklog (209)
- Plugins (111)
- Themes (2)
- News (387)
- Announcements (248)
- Geeklog.net (31)
- Security (76)
- Spam (11)
- Summer of Code (26)
User Functions
Events
What's New
Stories
No new storiesComments last 2 weeks
No new commentsTrackbacks last 2 weeks
No new trackback commentsLinks last 2 weeks
No recent new linksNEW FILES last 14 days
No new filesWelcome to Geeklog Saturday, May 18 2013 @ 04:47 PM EDT
Geeklog 1.3.9sr2 and 1.3.8-1sr6
- Friday, October 08 2004 @ 02:00 PM EDT
-
- Contributed by:
- Dirk
-
- Views:
- 6,830
- A cross site scripting issue, due to the use of the (unfiltered) variable
$topicin most of the language files (thanks to the anonymous submitter of bug #293). - It was possible to post comments to stories and polls for which comments had been disabled. The comments were never displayed, though, but did show up in the What's New block.
The upgrade to 1.3.9sr2 also includes a lib-plugins.php that fixes problems with plugins on PHP 5. The complete 1.3.9sr2 tarball also includes updated PEAR packages that should resolve email problems that some users had (see this story for details).
For those who made changes in the language files, it may be easier to apply the following fix manually: The 3rd text string in the $LANG05 array should read ' for topic %s' (instead of using $topic). This only fixes the XSS vulnerability but not the comment posting bug, for which comment.php has to be replaced.
Users still running on earlier versions may also want to apply the above fix manually. I'd like to point out again, though, that there is no offical support for versions older than 1.3.8 any more and that you should at the very least be running Geeklog 1.3.7sr5 plus the comment posting fix linked from this story.
The following comments are owned by whomever posted them. This site is not responsible for what they say.