I noticed that when we lose a password, geeklog will send us a new 'system-generated'password. I have one concern, with the ease of requesting for new password.

GL does not verify if you are truly the user requesting for new password. As such, a prankster can look for a list of users ie. Admin etc and request for a new password for the person. It would be a pain if the this becomes a day to day affair.

Are there any plugins patches that we can add to help identify the user ie mom's maiden name or something along those lines?

Thank you.

I think search.php of geeklog-1.3.x has
possible cross site scripting vulnerability. For example, let put this string as search keyword.

<script>alert(self.location)</script>

This gives alert window when JavaScript is enabled.
Because any HTML tags are transparently displayed in a "No matchs" screen, and search.php accept GET method, this can be easily exploitable with manner of ordinary cross site scripting attacks.
<BR>
This simple patch for search.php can prevent this type of attack.

--- search.php Fri Apr 5 01:21:15 2002
+++ search.php.org Mon Apr 8 03:38:07 2002
@@ -264,7 +264,7 @@
$retval .= $searchresults->parse('output','searchresults');
} else {
$retval .= COM_startBlock($LANG09[13])
- . $LANG09[14].' <b>'.htmlentities($query).'</b> '.$LANG09[15]
+ . $LANG09[14].' <b>'.$query.'</b> '.$LANG09[15]
. COM_endBlock();
}

Hi folks, this is a tip. In every directory that doesn't contain an index file, place a blank text file and name it index.htm. I do this on all my themes and geeklog directories and I highly suggest you do it as well. This will prevent snooping, even if it's only an images directory. Also, concerning the recent discovery of how many folks left their install.php alone, if you renamed your install file to muahahayoullneverguessthenameofmyinstall.php, it's not gonna do any good if someone visits http://yoursite.com/admin/install/. If you're gonna rename it, try a .txt extension or something. Enjoy. :)

How does one remove the ability to respond to a story, message anonymously? We have had some people leave replies to some of our posts anonymously and I want to have that feature disabled.

I've already removed the anonymous posting in the mySQL. Now, I just need it at the blog level.

My thanks in advance.

Attention all Geeklog 1.3 Admins

I hope you programmers out there never have to do what I'm about to do. A security hole has been brought to my attention and all Geeklog 1.3 admins will need to apply this fix. Luckily a 'good guy' found this before it became is big issue.

During all the session management changes from a while back I neglected to add back the MD5 hash of the users password to a cookie and check that. As a result, it is possible to have your Geeklog 1.3 system compromised by simply editing the cookie and changing the user ID to that of a Geeklog admin. This hole is about as critical as a hole can get. If you are running Geeklog 1.3 you will need to go to CVS and download the latest copies of system/lib-sessions.php and public_html/users.php.

There is a small but nasty security bug with fresh installations of Geeklog 1.3. This only pertains to fresh installations of Geeklog 1.3. Turns out with fresh installations, the data includes one orphaned group_assignments record with a user ID of 13. Geeklog's user table with on a fresh installation only has 12 users. So the first user that creates an account has access to the GroupAdmin Group and, subsequently, the UserAdmin Group.

If you have already installed a fresh version of Geeklog 1.3 then you need to edit the user with a uid of 13. To get that, do a "SELECT username FROM users WHERE uid = 13" in your favorite MySQL editor. Then in the admin/users.php page edit that user and uncheck both the GroupAdmin Group AND the UserAdmin Group and be sure to leave the Normal User and Logged-in User boxes checked.

Thanks to whoever posted that nasty on our SourceForge site.