We have received two reports about security issues that affect Geeklog in both current versions, i.e. 1.8.2 and 2.0.0 (which is not officially out yet, but in release candidate state):

• High-Tech Bridge Security Research Lab reported an XSS in the calendar_type parameter in the Calendar plugin.
• Trustwave Spiderlabs reported XSS in the install script, the Configuration, as well as in the Admin interfaces for the Polls plugin and the Topic editor.

To address these issues, we are releasing Geeklog 1.8.2sr1 (complete archive; also available as an update from 1.8.2) and Geeklog 2.0.0rc2.

An SQL injection vulnerability in the EasyFile plugin has been found and published by a user who calls himself Hellboy (the vulnerability is reported as being in Geeklog, but it really only affects the EasyFile plugin).

Given that the EasyFile plugin hasn't been updated in years, we assume that it is no longer maintained. If you use this plugin on your site, we recommend that you uninstall the plugin and remove all the files that belong to it as soon as possible.

We have removed the EasyFile plugin from our download area. If there are any other sites out there mirroring the plugin, please remove it from those sites as well. Thank you.

Mark Evans informs us that Saif El-Shere reported XSS in the bbcode of the Forum plugin for glFusion. Due to the shared history of the two projects, these XSS also exist in the Forum plugin for Geeklog. The Forum plugin 2.7.4 fixes these issues.

To upgrade from version 2.7.3, you need to replace these 3 files:

• config.php (for the version number)
• functions.inc (for the upgrade code)
• public_html/include/gf_format.php (which contains the actual fix)

Then simply run the upgrade from Geeklog's Plugin admin panel.

Geeklog 1.7.1sr1 addresses an XSS in the Configuration admin panel, reported by Aung Khant of the YGN Ethical Hacker Group. Due to the built-in CSRF protection this weakness is somewhat harder to exploit but we would nonetheless advise that you secure your site by installing this update ASAP.

In addition to the complete 1.7.1sr1 tarball, there are also update files for Geeklog 1.7.1 and for Geeklog 1.6.1sr1 that contain only a fixed version of the affected file (see the included README file for installation instructions).

Users of older Geeklog releases should consider upgrading to Geeklog 1.7.1sr1 soon (use the complete 1.7.1sr1 tarball to upgrade from any older version).

You may remember the flurry of security issues that Bookoo of the Nine Situations Group reported for Geeklog in April last year. Well, it looks like we missed one issue in those reports: Geeklog's auto login feature is vulnerable to brute force / dictionary attacks. To fix this, we are releasing the following security updates:

• Geeklog 1.6.1sr1 (complete tarball or upgrade from 1.6.1)
• Geeklog 1.5.2sr6 (1.5.2 "Combo" update or upgrade from 1.5.2sr5)

Other versions: The issue is also fixed in Geeklog 1.7.0 (but present in the 1.7.0 beta and release candidate). The 1.5.2sr6 upgrade can also be used for Geeklog 1.6.0, 1.5.1, and 1.5.0. Earlier versions were not tested - we really recommend to upgrade to a newer version (1.6.1sr1 or 1.7.0) instead.

The Forum plugin 2.7.3 addresses a security issue where an XSS was possible in anonymous usernames, reported by Jaloh Smith.

To upgrade from version 2.7.2, you only need to replace 3 files:

• config.php (for the version number)
• functions.inc (for the upgrade code)
• public_html/createtopic.php (which contains the actual fix)

Then simply run the upgrade from Geeklog's Plugin admin panel.

Last week, an exploit was published that allows unauthorized direct uploads to a Geeklog site, using the PHP connector included with FCKeditor. The uploads still have to go through FCKeditor's filters, so it's not possible to use this to upload scripts and the integrity of the Geeklog site as such is not in danger. As it turns out, however, this exploit is now being used to host malware on some Geeklog sites. So it seems we completely underestimated the impact of this issue.

Geeklog 1.6.0sr2 is now available for download and ships with a much more restrictive configuration for uploads through FCKeditor. There's also an archive to upgrade from 1.6.0sr1 and an updated version of the drop-in FCKeditor replacement for older Geeklog versions.

If you don't use FCKeditor (aka "Advanced Editor") on your site, the easiest and safest method is to simply remove the entire fckeditor directory (from your public_html directory). Otherwise, please install one of the above updates ASAP.

Geeklog 1.6.0sr1 and 1.5.2sr5 address the following security issues:

1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend.
2. The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site.

For Geeklog 1.6.0, we also fixed two bugs (an SQL error when the story submission queue was off and a call to a nonexistent function).

The following files are available:

• a complete tarball of Geeklog 1.6.0sr1
• an upgrade archive from Geeklog 1.6.0
• an upgrade archive from Geeklog 1.5.2sr4
• a combo update from any previous 1.5.2 version

An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).

Here's what we know:

• The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not.
• There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least.

A recent posting on the Bugtraq security mailing list should serve as a reminder to always remove the install script after a successful install or upgrade of Geeklog: MaXe points out an XSS, a path disclosure, and a remote file inclusion in the 1.5.x install script. The XSS is still present in the 1.6.0 install script and has been pointed out to us before by a person who called himself Nemesis.

We'll take care of this in the next 1.6.0 release (probably rc1). So again: Please follow the installation instructions and the built-in reminders to remove the install script and the other security tips that we provide before, during, and after the install.