Resources

Getting started

Support

Development

Topics

User Functions

Events

There are no upcoming events

What's New

Stories

No new stories

Comments last 2 weeks


Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Tuesday, June 18 2013 @ 08:35 PM EDT

> >

Geeklog 1.6.0sr2

Security
  • Sunday, August 30 2009 @ 01:05 PM EDT
  • Contributed by:
  • Views:
    5,402

Last week, an exploit was published that allows unauthorized direct uploads to a Geeklog site, using the PHP connector included with FCKeditor. The uploads still have to go through FCKeditor's filters, so it's not possible to use this to upload scripts and the integrity of the Geeklog site as such is not in danger. As it turns out, however, this exploit is now being used to host malware on some Geeklog sites. So it seems we completely underestimated the impact of this issue.

Geeklog 1.6.0sr2 is now available for download and ships with a much more restrictive configuration for uploads through FCKeditor. There's also an archive to upgrade from 1.6.0sr1 and an updated version of the drop-in FCKeditor replacement for older Geeklog versions.

If you don't use FCKeditor (aka "Advanced Editor") on your site, the easiest and safest method is to simply remove the entire fckeditor directory (from your public_html directory). Otherwise, please install one of the above updates ASAP.

Independent of this issue are reports about Geeklog sites being hacked through two older FCKeditor-related issues (see: File uploads through FCKeditor and FCKeditor input sanitization errors). So if you haven't installed those updates yet, please do so ASAP now.

In retrospect, we really dropped the ball on this one. While we were looking for a fix, we didn't realize the potential misuse of this exploit and thus didn't treat it with the urgency it would have required. Our apologies for that. I'm also taking some personal responsibility for this issue, since I'm not using FCKeditor myself and haven't really looked into it too closely. The issues in the upload configuration were really obvious (our fault, btw, not FCKeditor's) but went unnoticed. Sorry about that and we will be reviewing the FCKeditor integration for the next Geeklog release.

What's Related

Story Options

Trackback

Trackback URL for this entry:
http://www.geeklog.net/trackback.php/geeklog-1.6.0sr2

No trackback comments for this entry.

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Geeklog 1.6.0sr2
  • Authored by:Anonymous on Sunday, August 30 2009 @ 06:24 PM EDT
Does this concern sites like this one where anonymous users can't use FCKeditor, although it's still there?

And does the drop-in-replacement contain the previous forementioned replacements?
  • Geeklog 1.6.0sr2
  • Authored by:Dirk on Monday, August 31 2009 @ 03:38 AM EDT

It does affect sites even if FCKeditor is disabled, as long as the "fckeditor" directory is there. The drop-in replacement contains the latest version of FCKeditor plus the specific fixes for this issue from Geeklog 1.6.0sr2.

  • Geeklog 1.6.0sr2
  • Authored by:Anonymous on Tuesday, October 20 2009 @ 11:16 PM EDT
For some reason doing a new install with my internet host no matter how many times I installed/reinstalled/used symbolic paths/used static paths/etc failed to give me proper access to the admin_site_url (it left it blank every single time and would not update it)

the workaround involved editing configuration.php line 35 to remove the ../lib-common.php and replace it with "lib-common.php" then copy configuration.php to my root directory, copy auth-inc.php to my root directory, rerun mysite.com/configuration.php , update the admin path (ie mysite.com/admin) then remove the edited configuration.php from root directory, and remove auth-inc.php

Also, when I tried to register on geeklog.com, a password was sent to me (i'm not stupid here but humor this) despite copy-pasting in verbatim my username and password, then trying manually typing it twice, i exceeded maximum logon attempts and went into speedlimit break mode.

It looks like the newest release (and my first attempt at running a geeklog) is seriously flawed, maybe someone in irc can help address the issues that are cropping up for me...

or maybe I just need to rtfm (which I did!)
  • Geeklog 1.6.0sr2
  • Authored by:Dirk on Tuesday, October 20 2009 @ 11:42 PM EDT

You're doing something wrong. configuration.php, auth.inc.php, etc. are supposed to be in a directory called "admin". One level up from that directory is the lib-common.php, so the include with '../lib-common.php' is correct.

Maybe the program you used to unpack the tarball messed something up. I'd suggest you start over fresh.

Post a Comment

Your Name
Create Account
Allowed HTML Tags:
<p>, <b>, <strong>, <i>, <a>, <em>, <br>, <tt>, <hr>, <li>, <ol>, <ul>, <code>, <pre>, [code], [raw], [page_break], [staticpage:]InformationInformation[staticpage: id alternate title] - Displays a link to a static page using the static page title as the title. An alternate title may be specified but is not required. , [event:]InformationInformation[event: id alternate title] - Displays a link to an Event Link from the Calendar using the Event Title as the title. An alternate title may be specified but is not required. , [poll:]InformationInformation[poll: id alternate title] - Displays a link to a poll using the Poll Topic as the title. An alternate title may be specified but is not required. , [link:]InformationInformation[link: id alternate title] - Displays a link to a Link from the Links Plugin using the Link Title as the title. An alternate title may be specified but is not required. , [faq:], [forum:]InformationInformation[forum: id alternate title] - Displays a link to a forum topic using the text 'here' as the title. An alternate title may be specified but is not required. , [file:], [story:]InformationInformation[story: id alternate title] - Displays a link to a Story using the Story Title as the title. An alternate title may be specified but is not required. , [user:]InformationInformation[user: name alternate title] - Displays a link to a User using the Username as the title. An alternate title may be specified but is not required.
 

Security code
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

What code is in the image?
Enter the bolded text, case sensitive!
Important Stuff
  • Please try to keep posts on topic.
  • Try to reply to other people comments instead of starting new threads.
  • Read other people's messages before posting your own to avoid simply duplicating what has already been said.
  • Use a clear subject that describes what your message is about.
  • Your email address will NOT be made public.