Welcome to Geeklog Thursday, November 23 2017 @ 09:14 pm EST

Security Flaw in Geeklog/Gallery Plugin

  • Contributed by:
  • Views: 13,438
Security Those of you Geeklog users who use the Geeklog/Gallery plugin are being advised of a security issue that arises as a result of PHP's register_globals being on. As we explain here we do require register_globals to be on but Geeklog manages this securely. However, the Geeklog/Gallery plugin does not. To be 100% clear, this advisory does not effect Geeklog sites which do not use the Gallery plugin.

For those of you using the Geeklog Gallery plugin, you should comment all references to $GEEKLOG_DIR in the plugin. Instances of this can be found in: /path/to/geeklog/gallery_dir/init.php
/path/to/geeklog/gallery_dir/classes/geeklog/UserDB.php
/path/to/geeklog/gallery_dir/classes/geeklog/User.php
There are four lines total you will need to address. The first occurance in init.php where $GEEKLOG_DIR gets set which is simply fixed by commenting it out. As for theoccurances of

require_once($GEEKLOG_DIR . 'lib-common.php');

be sure to replace the entire string with
require_once '/path/to/geeklog/public_html/lib-common.php';

Hopefully this is clear to everyone. In the meantime, we are contacting the maintainer of the Geeklog/Gallery plugin to make the necessary fix.