Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Friday, May 16 2008 @ 04:24 AM EDT
   

Geeklog 1.4.0sr3 and 1.3.11sr6

Sunday, May 28 2006 @ 11:15 AM EDT
Contributed by: Dirk
Views: 5,667
SecurityThe Security Science Researchers Institute Of Iran (KAPDA.ir) has reported the following security issues in Geeklog:
  1. Possible SQL injection and authentication bypass in auth.inc.php
  2. Possible XSS in getimage.php
  3. Path disclosure in getimage.php and the functions.php of some themes, e.g. the Professional theme

Additionally, an internal code review has revealed another possible SQL injection in the story submission.

We are therefore releasing Geeklog 1.4.0sr3 (complete tarball, upgrade archive) and Geeklog 1.3.11sr6 (upgrade archive, combo update) to address these issues and would suggest that you install these as soon as possible.

Read on for more information ...

getimage.php

If you haven't changed Geeklog's images directory from its default location within the web root, then you actually don't need the getimage.php script and can simply remove it. It is only needed to serve images (for articles and user photos) from a directory outside of the web root.

functions.php

The functions.php file is part of every Geeklog theme and can be used to store theme-specific PHP code. It's often used to give left and right blocks a different appearance. Please check if your theme's functions.php contains any PHP code (it may be empty, in which case you can leave it as is). If it does contain PHP code, please add the following at the beginning of that file (right after the opening PHP tag): 

if (strpos ($_SERVER['PHP_SELF'], 'functions.php') !== false) {
    die ('This file can not be used on its own!');
}

Older Geeklog versions

As usual, we only offer support for the current and previous versions of Geeklog (1.4.0 and 1.3.11, respectively). If you're still running an older version, now may be a good time to upgrade.

In the meantime, the above two items (getimage.php and functions.php) also apply to any older Geeklog release. If you're on Geeklog 1.3.9 or 1.3.10, then the new auth.inc.php for Geeklog 1.3.11 should also work with those versions (no guarantees for older releases). Still, it may be better to upgrade now.

A note on FCKeditor

Since we're talking about security issues: A security issue has recently been found in FCKeditor, which we ship with Geeklog 1.4.0. However, the issue affects FCKeditor's file manager which we don't use (we're shipping the MCPUK version of the file manager instead), so Geeklog 1.4.0 installs are not affected, as far as we know. If you want to be on the save side, you can still remove the FileUpload.php script from /path/to/geeklog/public_html/fckeditor/editor/ filemanager/browser/mcpuk/connectors/php/Commands.

Those of you who upgraded FCKeditor to version 2.2 (Geeklog 1.4.0 is shipping with version 2.1), however, should probably upgrade to FCKeditor 2.3.

Geeklog 1.4.1

For Geeklog 1.4.1, we are concentrating on bugfixes and further security enhancements. In fact, the issue regarding auth.inc.php had already been spotted and fixed before the KAPDA report arrived, so it looks like we're on the right track. We expect to have a release candidate of Geeklog 1.4.1 available by the end of June.

 

What's Related

Story Options

Trackback

Trackback URL for this entry: http://www.geeklog.net/trackback.php/geeklog-1.4.0sr3

Here's what others have to say about 'Geeklog 1.4.0sr3 and 1.3.11sr6':

http://www.sshd.org/2006/06/06/kapda-security-science-researchers-institute-of-iran-geeklog-140sr2-path-disclosure-xss-sql-injection-authentication-bypass.html
Tracked on Tuesday, June 06 2006 @ 12:35 PM EDT

Geeklog 1.4.0sr3 and 1.3.11sr6 | 15 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: LWC on Sunday, May 28 2006 @ 06:21 PM EDT
Wow, they may go nuclear but they also fix Geeklog. Who would have thought Geeklog could be what brings the world together?

Anyway, just wanted to tell you that while you send everyone (well, I guess the more advanced users, but still) to upgrade to FCKEditor v2.3, at this point of time it is still a beta. Not that there's anything wrong with it...but you shouldn't just recommend it as if it's a stable version.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: Dirk on Monday, May 29 2006 @ 02:02 AM EDT

The point about the FCKeditor upgrade is this: If you did the upgrade to version 2.2, you got rid of the MCPUK file manager in the process - and then you're vulnerable for that security issue. In which case it would be better to upgrade to 2.3, even though it's not officially out yet.

If you're still on the original version that shipped with Geeklog 1.4.0, you should be fine.

bye, Dirk

Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: barrywong on Sunday, May 28 2006 @ 11:13 PM EDT
Hi Dirk

Thank you for the update.

Clicking Geeklog 1.4.0sr3 upgrade archive download. When you click on the URL, it states:
Security Update for Geeklog 1.4.0sr2

I am guessing it is a typo. Just checking..
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: Dirk on Monday, May 29 2006 @ 02:04 AM EDT

Well, the tarball contains the files you need to upgrade from 1.4.0sr2 to 1.4.0sr3, so I'd say the description is correct.

bye, Dirk

Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: ajom on Monday, May 29 2006 @ 03:06 PM EDT
Thaks for the update.I was going to ask about the problem with Quote and remote images showing but its ok now.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: ajom on Tuesday, May 30 2006 @ 04:30 AM EDT
I have found out that the qoute format and the linked image in messages work only with admin account.

With other users the linked image is not showing and the quote format look like this:-

QUOTEQuote by: jasho

this is the quoted text.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: Dirk on Tuesday, May 30 2006 @ 05:58 AM EDT

I honestly have no idea what you're talking about. If you have a problem (with the forum plugin?) then please post in the forums, as this doesn't seem to have anything to do with this security update ...

bye, Dirk

Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: n4th4n on Tuesday, May 30 2006 @ 07:38 PM EDT
The upgrade was totally painless! Thanks for keeping us one step ahead of the bad guys.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: karnac on Tuesday, May 30 2006 @ 11:18 PM EDT
The new comment.php for 1.3.11sr6 breaks the comment function for the latest
filemgmt plugin, 1.3

I'm using an old comment.php for the time being.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: karnac on Tuesday, May 30 2006 @ 11:23 PM EDT
I should add that the last comment.php I had was from the original 1.3.11

Also, the result is that it just puts you back on the front page.
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: karnac on Tuesday, May 30 2006 @ 11:24 PM EDT
pardon me, that sould be 1.3.11sr1
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: Dirk on Wednesday, May 31 2006 @ 01:59 AM EDT

The current version of the File Management plugin is 1.5.2, btw. And it works just fine with the comments in Geeklog 1.4.0.

bye, Dirk

Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: karnac on Thursday, June 01 2006 @ 12:20 PM EDT
I meant the latest filemgmt version for the 1.3.11 fork. filemgmt 1.5 does not
work with geeklog 1.3.11, only 1.4
Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: Dirk on Thursday, June 01 2006 @ 02:40 PM EDT

Okay, sorry - I did confuse 1.4.0 and 1.3.11 above.

However, the comment.php in 1.3.11sr6 is not "new" - it was part of 1.3.11sr3, which came out last December. I haven't heard of any problems with it, but you could try asking Blaine about it.

bye, Dirk

Geeklog 1.4.0sr3 and 1.3.11sr6
Authored by: mevans on Thursday, June 01 2006 @ 11:18 PM EDT
There is a bug in Geeklog v1.3.11sr3+ causing comments to break in many plugins. Geeklog v1.3.11sr3+ requires that all plugins pass a 'title' attribute to the comment engine, but there is no method for the plugin to actually do this.

You can fix the problem by modifying the template that handles comments in Geeklog.

Edit the commentbar.thtml template located in layout/professional/comment/commentbar.thtml

Add the following line:

<input type="hidden" name="title" value="{story_title}">

Place this line after

<input type="hidden" name="pid" value="0">

This will solve the problem with plugins returning to the index page when someone trys to enter a comment.

Obviously, if you are using a different theme, edit the commentbar.thtml file for your theme (or better yet, all themes on your site).

Hope this helps!
Mark

---
Media Gallery - the ultimate gallery plugin for Geeklog - www.mediagallery.org
© 2002-2008 Geeklog
Created this page in 0.41 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com