Welcome to Geeklog Wednesday, December 11 2013 @ 10:56 AM EST
A recent posting on the Bugtraq security mailing list should serve as a reminder to always remove the install script after a successful install or upgrade of Geeklog: MaXe points out an XSS, a path disclosure, and a remote file inclusion in the 1.5.x install script. The XSS is still present in the 1.6.0 install script and has been pointed out to us before by a person who called himself Nemesis.
We'll take care of this in the next 1.6.0 release (probably rc1). So again: Please follow the installation instructions and the built-in reminders to remove the install script and the other security tips that we provide before, during, and after the install.
[...] 1.6.0 is now available for download. This version fixes a few more issues with the new search, addresses the XSS reported for the install script, and also includes a more prominent reminder to remove the install script after installation or [...] [read more]