Resources

Getting started

Support

Development

Topics

User Functions

Events

There are no upcoming events

What's New

Stories

1 new Stories in the last 2 weeks

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Friday, May 24 2013 @ 09:18 PM EDT

> >

Geeklog 1.5.2sr2

Security
  • Saturday, April 04 2009 @ 01:40 PM EDT
  • Contributed by:
  • Views:
    9,177

Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.

You can download an upgrade archive for Geeklog 1.5.2sr1 or the complete 1.5.2sr2 tarball to upgrade from any previous version.

The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog 1.4.1, 1.5.0, and 1.5.1.

As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users:

In Geeklog 1.5.x, go to Configuration > Geeklog > Miscellaneous > Cookies and change the option "Cookies embed IP?" to "True". On older Geeklog releases, open your config.php file, find the option $_CONF['cookie_ip'] and change the value to = 1; (from = 0). The downside of this configuration change is that the long-term cookie won't work any more for users with changing IP addresses, i.e. they will have to log in again more often.

What's Related

Story Options

Trackback

Trackback URL for this entry:
http://www.geeklog.net/trackback.php/geeklog-1.5.2sr2

Here's what others have to say about 'Geeklog 1.5.2sr2':

[...] Geeklog 1.5.2sr2 ::Ben 05 avril 2009 - 08:49 Lu 0 Nouvelle faille de sécurité et nouvelle security release Geeklog 1.5.2sr2 pour les versions 1.5.0 à 1.5.2.Bookoo of the Nine Situations Group posted an SQL injection [...] [read more]

[...] de la versión anterior.Este aviso fue aviso del stio Geeklog.net y puede ver mas detalles en el siguiente enlace Trackback Trackback URL for this entry: http://glhispano.alcancelibre.org/trackback.php/geeklog-1.5.2sr2 No trackback [...] [read more]

[...] cada vez que cambie su IP, puesto que la galleta (cookie) para sesión de largo plazo dejará de funcionar. Fuente: Geeklog. Fuente: Alcance Libre Leave a Reply Name (required) Mail (will not be published) (required) Website POPULAR [...] [read more]

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Geeklog 1.5.2sr2
  • Authored by:LWC on Saturday, April 04 2009 @ 02:44 PM EDT
By "as a temporary measure", did you mean "as a temporary measure until you actually uprade"? That is, is it not needed for those who actually employ the upgrade?
  • Geeklog 1.5.2sr2
  • Authored by:Dirk on Saturday, April 04 2009 @ 03:03 PM EDT

Yes, that's what I meant.

  • Log in not working on geeklog 1.4.1
  • Authored by:::Ben on Sunday, April 05 2009 @ 04:22 AM EDT
After I sign in on a geeklog 1.4.1 patched is like I'm not log in, user login block is still there and I can't access to admin aera. If I un-patch the cms and refresh the page I'm log in and can now access to the admin features.

::Ben

---
Support and French community [ www.geeklog.fr ]
  • Log in not working on geeklog 1.4.1
  • Authored by:1000ideen on Sunday, April 05 2009 @ 04:40 AM EDT
I`m afraid it does not work with GL 1.4.1. Unfortunately I found out after patching about 10 installations.

A replacement file for GL 1.4.1 is urgently needed.
  • Log in not working on geeklog 1.4.1
  • Authored by:Dirk on Sunday, April 05 2009 @ 04:50 AM EDT

Yeah, sorry about that - the 1.5.x code relies on another change in lib-security.php that's not present in 1.4.1.

  • lib-sessions.php for Geeklog 1.4.1
  • Authored by:Dirk on Monday, April 06 2009 @ 03:02 PM EDT

As it turns out (see above), the upgrade archive does not work with Geeklog 1.4.1. An updated lib-sessions.php for Geeklog 1.4.1 is now available.

Do not use that file with Geeklog 1.5.x!

  • Geeklog 1.5.2sr2
  • Authored by:mystral-kk on Thursday, April 09 2009 @ 08:08 PM EDT
Applying this patch (lib-session.php) to Geeklog-1.5.0 prevented me from loggin into the site (on MS Windows and Linux). When I undid the patch, I was able to log in again. I don't have this inconvenience with GL-1.5.1, though.


---
-- mystral-kk, "Every cloud has a silver lining."

Post a Comment

Your Name
Create Account
Allowed HTML Tags:
<p>, <b>, <strong>, <i>, <a>, <em>, <br>, <tt>, <hr>, <li>, <ol>, <ul>, <code>, <pre>, [code], [raw], [page_break], [staticpage:]InformationInformation[staticpage: id alternate title] - Displays a link to a static page using the static page title as the title. An alternate title may be specified but is not required. , [event:]InformationInformation[event: id alternate title] - Displays a link to an Event Link from the Calendar using the Event Title as the title. An alternate title may be specified but is not required. , [poll:]InformationInformation[poll: id alternate title] - Displays a link to a poll using the Poll Topic as the title. An alternate title may be specified but is not required. , [link:]InformationInformation[link: id alternate title] - Displays a link to a Link from the Links Plugin using the Link Title as the title. An alternate title may be specified but is not required. , [faq:], [forum:]InformationInformation[forum: id alternate title] - Displays a link to a forum topic using the text 'here' as the title. An alternate title may be specified but is not required. , [file:], [story:]InformationInformation[story: id alternate title] - Displays a link to a Story using the Story Title as the title. An alternate title may be specified but is not required. , [user:]InformationInformation[user: name alternate title] - Displays a link to a User using the Username as the title. An alternate title may be specified but is not required.
 

Security code
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

What code is in the image?
Enter the bolded text, case sensitive!
Important Stuff
  • Please try to keep posts on topic.
  • Try to reply to other people comments instead of starting new threads.
  • Read other people's messages before posting your own to avoid simply duplicating what has already been said.
  • Use a clear subject that describes what your message is about.
  • Your email address will NOT be made public.