Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5

Sunday, March 05 2006 @ 03:33 PM EST

Contributed by: Dirk

Unfortunately, yet another Geeklog security issue has surfaced: Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. This bug exists in all Geeklog versions released since 2002.

To address this serious issue, we are releasing the following security updates and strongly suggest that you upgrade your site as soon as possible.

Geeklog 1.4.0sr2 (complete tarball and upgrade archive)
Geeklog 1.3.11sr5 (upgrade from 1.3.11sr4 and a combo update that includes all previous updates)
Geeklog 1.3.9sr5 (upgrade from 1.3.9sr4)

The 1.4.0sr2 update also strips HTML tags from the location entry in a user's profile (a problem that only existed in 1.4.0). The 1.3.9sr5 update also includes the fixes for the earlier security issues. While Geeklog 1.3.9 isn't officially supported any more, we're making an exception here because of the severity of the issues and since many people still seem to be using that version. Nevertheless, we'd suggest that you upgrade to 1.4.0 at your earliest convenience.

Well, I guess there goes our reputation of being one of the more secure web applications. After two severe issues in two weeks it's hard to hold up that claim much longer. Apologies on behalf of the Geeklog Team for any inconveniences we may have caused you.

As a consequence, we will be concentrating on doing code reviews and fixing bugs (security-related and otherwise) for Geeklog 1.4.1 and will put implementing new features on the back burner. We've obviously got some homework to do in order to earn back your trust.

Please feel free to use the comments or the Feedback forum to tell us what you think about all this.

Trackback

Trackback URL for this entry: http://www.geeklog.net/trackback.php/geeklog-1.4.0sr2

Security Upgrade in Progress
Geeklog has released a security upgrade that affects all versions, so I will be upgrading your website over the next few days. If you experience any unusual activity or outages on your website, please contact me. Thanks, Jason [read more]
Tracked on Monday, March 06 2006 @ 11:44 PM EST

Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5 | 21 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Authored by: asmaloney on Sunday, March 05 2006 @ 04:36 PM EST

Dirk,

Thanks for the notice. Could you perhaps suggest a good way to disable logins completely but leave the site up until we can upgrade? Maybe change something in lib-sessions.php?

Thanks!

Authored by: Dirk on Sunday, March 05 2006 @ 05:42 PM EST

Uploading the fixed lib-sessions.php is probably easier. It's the only file that you need to update to fix this particular problem. And it doesn't depend on any other changes, so it would help even if you're on, say, an otherwise unpatched 1.3.11.

bye, Dirk

Authored by: asmaloney on Sunday, March 05 2006 @ 06:22 PM EST

That's even better - thanks a lot Dirk.

- Andy

Authored by: JohnVanVliet on Sunday, March 05 2006 @ 07:41 PM EST

well i would not put it that strongly once it was brought to your atenition it was looked into and fixed VERY,VERY fast :banana: :banana:
I for one aploude you --hip-hip- horay --hip-hip- horay

Authored by: ByteEnable on Sunday, March 05 2006 @ 08:50 PM EST

Can they log in even as ADMIN ?

Authored by: Blaine on Sunday, March 05 2006 @ 09:43 PM EST

Yes they could if they know how - upgrade is recommended for all sites.

---
Geeklog components by PortalParts -- www.portalparts.com

Authored by: RichardTowler on Monday, March 06 2006 @ 08:35 AM EST

I agree with the above, don't feel so bad, and it was fixed very very fast, and atleast for me it was very fast and easy to upgrade.

Its great to have such good support.

---
GameFaction - For All Your Gaming Needs

Authored by: Bloggins on Monday, March 06 2006 @ 10:09 AM EST

I agree with the previous posts, once discovered, you guys are on top of it, I just wish I had waited another 8 hours to upgrade to 1.4.0sr1, I finished at March 05 2006 @ 03:25 PM EST

Authored by: DTrumbower on Monday, March 06 2006 @ 10:37 AM EST

The upgrade fix includes three files and nothing needs to be touched as far as config settings or probably customizations. Took 1 minute to upgrade 5 sites.

Authored by: Bloggins on Monday, March 06 2006 @ 11:50 AM EST

Yep, I should have looked befor I opened my yap.

Authored by: geiss on Tuesday, March 07 2006 @ 06:36 PM EST

I upgraded from 1.3.11 vanilla to 1.3.11sr5 and I get the following in my error log when trying to post comments to stories:

Access denied for user: 'xxxxxxx@%' to database 'xxxxxxx'. SQL in question: LOCK TABLES gl_comments WRITE

I replaced comment.php it with the old 1.3.11 version, and everything works fine again. Any suggestions?

RTFM

Authored by: eg0master on Thursday, March 09 2006 @ 08:06 AM EST

Read the FAQ:
http://www.geeklog.net/faqman/index.php?op=view&t=51

---
Long Live Space Moose

Authored by: stolidus on Thursday, March 09 2006 @ 01:12 PM EST

There has been no loss of trust here Dirk. You guys are all awesome.

Hey let me make sure I get this K.I.S.S. principle correct here. "replace lib-sessions.php file with new one and problem disappears". Am I missing something, or is it really that simple?

If so, cool. If not let me know asap, cause that is what I did in ref. to above comments. It makes sense also tho.

Thanks once again for the lightening fast 'mea culpa' and resulting fix. Awesome.

Authored by: Dirk on Thursday, March 09 2006 @ 01:54 PM EST

Yes, replacing lib-sessions.php makes this particular problem (that anyone could log into your site) go away. Depending on the Geeklog version you're on, there may be other problems to fix as well, though (see above).

Authored by: stolidus on Thursday, March 09 2006 @ 04:29 PM EST

Thanks Dirk. I was running 1.4.0sr1, so there shouldn't be...for now.

Authored by: Dirk on Thursday, March 09 2006 @ 05:06 PM EST

You did see the bit about the missing HTML filter for the Location field? That affects all 1.4.0 versions prior to sr2.

Authored by: sshservices on Saturday, March 11 2006 @ 09:29 AM EST

Fatal error: Call to undefined function: sec_checkuserstatus() in /web/home/flexiezine/geeklog/system/lib-sessions.php on line 111

Updated the Public HTML user pages and the System/lib-sessions.php files from the 1.4.0sr2 dowload... Getting the error listed above...

Any suggestions? Thanks in advance.

Authored by: Dirk on Saturday, March 11 2006 @ 09:45 AM EST

That's a new function in Geeklog 1.4.0, so make sure all your other files are up to date, especially lib-security.php.

Authored by: abloch on Monday, March 13 2006 @ 02:27 AM EST

Has anyone noticed any recent hacking attempts, perhaps to take advantage of
this security hole? The reason I ask is I've seen a few strange new user
submissions to my sites, from a couple of email accounts @mail.ru .

Authored by: n4th4n on Tuesday, March 14 2006 @ 06:35 AM EST

I've had a couple mail.ru user submissions also, so you're not alone - but no hack attempts that I know of. How best to look for such attempts? What might we see in log files?

Thanks to Dirk for making this fix available to the 1.3.9.sr4 crowd as well. I personally know three other guys still using that build (for now) including myself on two sites.

mail.ru accounts

Authored by: Dirk on Tuesday, March 14 2006 @ 04:10 PM EST

There's a forum thread about these accounts here.

Resources

Sections

User Functions

What's New

Stories

Comments last 2 days

Trackbacks last 2 days

NEW FILES last 14 days

Links last 2 weeks

Older Stories

Thursday 24-Jul

Saturday 19-Jul

Sunday 22-Jun

Wednesday 18-Jun

Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5

What's Related

Story Options

Trackback