Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Thursday, May 15 2008 @ 11:51 PM EDT
   

Geeklog 1.4.0sr1 and 1.3.11sr4

Sunday, February 19 2006 @ 03:30 PM EST
Contributed by: Dirk
Views: 11,222
Security

James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code. To fix those issues, we are releasing Geeklog 1.4.0sr1 and 1.3.11sr4 and strongly suggest that you install those updates as soon as possible.

For Geeklog 1.4.0, there's the complete 1.4.0sr1 tarball as well as an upgrade archive containing only the necessary changes over 1.4.0.

To upgrade from Geeklog 1.3.11sr3, use the 1.3.11sr4 upgrade archive. If you're running on an older 1.3.11 release, you will have to install the previous updates first. You can, of course, always choose to update to 1.4.0sr1 directly, following the usual upgrade instructions.

Upgrading to 1.4.0sr1 is also what we suggest to anyone using a Geeklog version older than 1.3.11, as the reported issues also affect all earlier versions.

 

What's Related

Story Options

Trackback

Trackback URL for this entry: http://www.geeklog.net/trackback.php/geeklog-1.4.0sr1

Here's what others have to say about 'Geeklog 1.4.0sr1 and 1.3.11sr4':

Media Gallery Support - Media Gallery v1.2.4
Tracked on Monday, February 20 2006 @ 12:29 AM EST

Meta: Geeklog-Update
Auch in "sicherer" Software werden üble Sicherheitslücken gefunden. Und wenn man schonmal am updaten ist... [read more]
Tracked on Tuesday, February 21 2006 @ 09:25 AM EST

Frühjahrsputz in Weblogland
Mit nicht sonderlich viel Begeisterung habe ich gestern festgestellt, dass meine Weblogsoftware Geeklog ein paar Sicherheitsprobleme aufweist ... [read more]
Tracked on Wednesday, February 22 2006 @ 09:48 PM EST

Geeklog 1.4.0sr1
Tracked on Thursday, February 23 2006 @ 12:23 AM EST

the nerd zone - Upgrades
Tracked on Sunday, February 26 2006 @ 05:59 AM EST

Geeklog - Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5
Tracked on Sunday, March 05 2006 @ 03:55 PM EST

UA Geeklog - Geeklog 1.4.0sr2, 1.3.11sr5
Tracked on Monday, March 06 2006 @ 07:05 PM EST

Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5 - Portal Blog
Tracked on Saturday, March 11 2006 @ 06:56 AM EST

Geeklog 1.4.0sr1 and 1.3.11sr4 | 14 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: LWC on Sunday, February 19 2006 @ 07:19 PM EST
Will there be a full 1.3.11sr4?
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: Dirk on Monday, February 20 2006 @ 01:57 AM EST

No.

bye, Dirk

Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: phpsocialclub on Sunday, February 19 2006 @ 09:19 PM EST
nice work on the security release.

I was wondering what you thought about keeping the version information in
another place other than the config.

IF this information was not in the config, you could just upload the whole
package and that would be it.

You could even use a shell script to update your site.

The config has so much valuable info in it, it would be great to have the
version info in a separate file,

thanks again for the great product.
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: deek on Sunday, February 19 2006 @ 10:11 PM EST
Thanks for the security release.
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: ByteEnable on Sunday, February 19 2006 @ 10:37 PM EST
Hey Dirk thanks for the quick fix!

Here is the link to the GulfTech Article.

Regards,

Byte
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: samstone on Monday, February 20 2006 @ 04:35 PM EST
Does the archive include the bug-fixed files from the cvs since 1.4.0 final released?

Sam
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: Dirk on Monday, February 20 2006 @ 05:12 PM EST

The 1.4.0sr1 upgrade archive only includes the files needed to fix the security issues. It happens to include one minor bugfix, though, which was in lib-common.php.

The full 1.4.0sr1 tarball is exactly what's in CVS right now. It only includes 3 minor bugfixes plus a lot of new/updated language files. There hasn't really been much CVS activity since the 1.4.0 release ...

bye, Dirk

Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: ArchangelOfDarkn on Wednesday, February 22 2006 @ 10:28 AM EST
I know I had a problem with this and found that many others had a problem trying to install geeklog onto a godaddy.com hosted shell account. Best way to do it is in your hosting control panel, goto your valued applications, install the old version of geeklog they have in there, and just upgrade geeklog as it says in the documents. This way, you keep the sql database that already has lock tables on. Just make sure you keep the info in the config.php so you know the database info the server made for you automaticly.
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: Madjack on Wednesday, March 01 2006 @ 03:17 PM EST
Hello all from Khartsyzsk, Ukraine.

Today i have founded a veeeery big hole in geeklog security ( ALL VERSIONS INFECTED!!!!). With this bug i can gain admin access without any injections and querys to target site. And if you don't beelive me, i can demonstrate it on geeklog.net. And i would like to share about this with geeklog developers, who can fix this bug! Developers!!!! Please, mail to me: madjack@khartsyzsk.com.

With Best Regards,
Dyakoff Konstantin.

P.S.: Sorry for my bad english. :-)
Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: Dirk on Wednesday, March 01 2006 @ 03:26 PM EST

I'll send you an email. Our preferred way of handling security issues is outlined here, btw.

bye, Dirk

Geeklog 1.4.0sr1 and 1.3.11sr4
Authored by: Admin on Saturday, March 04 2006 @ 08:25 AM EST
Hello, Dirk, i Was here :-)
Testing only.
Beware this guy
Authored by: Creator on Saturday, March 04 2006 @ 12:10 AM EST
On Wednesday, March 1st, sometime before this posting someone hacked into my website justrage.com and killed all my stories and then some. Fortunately I had a backup. Unfortunately it wasn't a recent one. After I managed to restore my website to normal operation and patched it with sr4, this same person logged in as an Admin earlier today and posted a story saying that he decided not to destroy my site again for whatever reason. I checked the logs and this person's IP address tracked back to someplace in Russia. And now I see this post. You do the math.

---
L. Whitworth
http://lee.htmladdict.com

Beware this guy
Authored by: Dirk on Saturday, March 04 2006 @ 03:51 AM EST

I assume you changed your password after restoring your backup?

The person above sent us a description of his supposed exploit which we have been unable to reproduce. We've asked him to demonstrate it but haven't heard back since.

Also, as usual, don't forget to check for vulnerabilities in 3rd party add-ons, e.g. Gallery, phpBB, ...

bye, Dirk

Beware this guy
Authored by: Creator on Monday, March 06 2006 @ 03:04 AM EST
Of course, but the guy got in using a regular user account and somehow getting ahold of the default admin account from there. Anyway I see the new sr5 patch and I hope that this resolves these issues. Truly I can't point the finger at anyone, I just find it a little too coincidential with this guy and with what happened to my site.

---
L. Whitworth
© 2002-2008 Geeklog
Created this page in 2.18 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com