Welcome to Geeklog Wednesday, June 19 2013 @ 05:59 PM EDT
While tracking the security issues that have plagued other web applications, we have become aware that Geeklog is vulnerable from so-called Cross-Site Request Forgery (CSRF) attacks. In a nutshell, the idea is for an attacker to perform operations on a site with someone else's privileges. There are multiple possible attack vectors, including tricking you to click on a link or embedding what looks like an image but what is really a script.
Unfortunately, fixing these issues required a lot of changes in Geeklog's code and so we can't provide a simple security fix for earlier releases. The necessary infrastructure has been implemented in Geeklog 1.5.0, which we now consider safe from these attacks. Please note that many 3rd-party plugins are also affected and will also have to be updated.
For older Geeklog versions, here are a few recommendations to minimize the risks:
Plugin authors wanting to update their plugins should read the article on CSRF protection in the Geeklog wiki.
[...] issues in Geeklog that we haven't disclosed yet: All Geeklog versions prior to 1.5.0 are vulnerable to cross-site request forgery attacks. There are also some security issues in kses, the HTML filter we're using in Geeklog.Documentation for [...] [read more]
[...] in future releases. Geeklog 1.7.0 also addresses everybody's favourite nuisance, the problem with the expiring CSRF token : Now when the token expires, you will be asked for your password again, after which you can continue as normal (and [...] [read more]