Contributed by: Dirk Monday, September 29 2003 @ 04:19 pm EDT
I'm sure by now many of you have heard of the Geeklog security issues that have been posted on lists such as Full Disclosure and Bugtraq.
One of the issues mentioned in that post regards the injection of HTML in the Shoutbox and can easily be addressed, as explained in the story "Fix your Shoutbox![*1] ".
The more scary bits, however, are those of the acclaimed SQL injection. Three members of the Geeklog development team have now been trying to reproduce these issues - and failed. That's not to say that the issues do not exist, but it seems they are a lot harder to exploit than the post claims. Even the person reporting the issues couldn't (or wouldn't) produce a working example.
So, we are still looking into it and will come up with a solution to filter these injections, just in case, eventually. In the meantime, it looks like this issue is not as dramatic as it first seemed.
We would also like to point out that the person who published that report didn't contact us before doing so. It could have avoided a lot of confusion and even misinformation (the post even claims to have found the problem in a 2.x version of Geeklog that doesn't exist yet). This is certainly not a very professional way to handle security issues. Regardless, we are taking the claims seriously and we are looking into the matter as we speak.