Last week, an exploit was published that allows unauthorized direct uploads to a Geeklog site, using the PHP connector included with FCKeditor. The uploads still have to go through FCKeditor's filters, so it's not possible to use this to upload scripts and the integrity of the Geeklog site as such is not in danger. As it turns out, however, this exploit is now being used to host malware on some Geeklog sites. So it seems we completely underestimated the impact of this issue.

Geeklog 1.6.0sr2 is now available for download and ships with a much more restrictive configuration for uploads through FCKeditor. There's also an archive to upgrade from 1.6.0sr1 and an updated version of the drop-in FCKeditor replacement for older Geeklog versions.

If you don't use FCKeditor (aka "Advanced Editor") on your site, the easiest and safest method is to simply remove the entire fckeditor directory (from your public_html directory). Otherwise, please install one of the above updates ASAP.

Geeklog 1.6.0sr1 and 1.5.2sr5 address the following security issues:

1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend.
2. The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site.

For Geeklog 1.6.0, we also fixed two bugs (an SQL error when the story submission queue was off and a call to a nonexistent function).

The following files are available:

• a complete tarball of Geeklog 1.6.0sr1
• an upgrade archive from Geeklog 1.6.0
• an upgrade archive from Geeklog 1.5.2sr4
• a combo update from any previous 1.5.2 version

An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).

Here's what we know:

• The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not.
• There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least.

A recent posting on the Bugtraq security mailing list should serve as a reminder to always remove the install script after a successful install or upgrade of Geeklog: MaXe points out an XSS, a path disclosure, and a remote file inclusion in the 1.5.x install script. The XSS is still present in the 1.6.0 install script and has been pointed out to us before by a person who called himself Nemesis.

We'll take care of this in the next 1.6.0 release (probably rc1). So again: Please follow the installation instructions and the built-in reminders to remove the install script and the other security tips that we provide before, during, and after the install.

Bookoo of the Nine Situations Group has posted yet another SQL injection exploit. This time, the problem is in usersettings.php and can again be used by an attacker to extract the password hash for any account. Geeklog 1.5.2sr4 fixes this issue and is available for download

• as a complete tarball, for fresh installs and upgrades from any earlier release
• as an update for 1.5.2sr3 and
• as a "combo" update, bundling all the changes for 1.5.2sr1 - 1.5.2sr4.

Geeklog 1.5.2sr3 addresses the recently published exploit for an SQL injection in the webservices. It is available for download

• as a complete tarball, for fresh installs and upgrades from any earlier release
• as an update for 1.5.2sr2 and
• as a "combo" update, bundling all the changes for 1.5.2sr1 - 1.5.2sr3.

After installing this update, you can enable the webservices again if you need them (or leave them disabled if you don't - they are not an essential feature, unless you happen to be using an AtomPub client to post articles).

Well, it's getting a bit embarrassing, but here goes:

Bookoo of the Nine Situations Group posted another SQL injection exploit, this time targetting the webservices API in Geeklog. The problem exists in all 1.5.x releases to date. Fortunately, it can be avoided by disabling the webservices like so: Go to

Configuration > Geeklog > Miscellaneous > Webservices

(that's the last set of options on the "Miscellaneous" page) and set "Disable Webservices?" to "True". We'll release an fix ASAP, but this should secure your site for now.

Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.

You can download an upgrade archive for Geeklog 1.5.2sr1 or the complete 1.5.2sr2 tarball to upgrade from any previous version.

The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog 1.4.1, 1.5.0, and 1.5.1.

As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users:

Fernando Muñoz reported a possible XSS in the query form on most admin panels that we are fixing in this release.

You can download an upgrade archive for Geeklog 1.5.2 or the complete 1.5.2sr1 tarball to upgrade from any previous version.

The upgrade tarball contains only one file and should also work as a quick fix for Geeklog 1.5.0 and 1.5.1. We do recommend upgrading to 1.5.2sr1 from those versions, though, due to various other bugs that have since been fixed.

Fernando is one of the students applying for participation in the Google Summer of Code with Geeklog, btw. Which just goes to show that it's always good to have a fresh pair of eyes looking over your code. Thanks, Fernando!

An issue that can allow someone to edit another users recently posted topic has been identified by Matthew Demicco. This is possible during the edit timeframe which by default is 1 min and requires someone to modify the URL.

This new release addresses that issue and all sites are recommended to upgrade to this latest release which is now available in the downloads area.

The upgrade steps are to replace the changed files and run the plugin upgrade.

• public_html/createtopic.php
• config.php
• functions.inc