Geeklog 1.3.9sr2 and 1.3.8-1sr6
- Friday, October 08 2004 @ 02:00 pm EDT
- Contributed by: Dirk
- Views: 8,561
- A cross site scripting issue, due to the use of the (unfiltered) variable
$topic
in most of the language files (thanks to the anonymous submitter of bug #293). - It was possible to post comments to stories and polls for which comments had been disabled. The comments were never displayed, though, but did show up in the What's New block.
The upgrade to 1.3.9sr2 also includes a lib-plugins.php that fixes problems with plugins on PHP 5. The complete 1.3.9sr2 tarball also includes updated PEAR packages that should resolve email problems that some users had (see this story for details).
For those who made changes in the language files, it may be easier to apply the following fix manually: The 3rd text string in the $LANG05
array should read ' for topic %s'
(instead of using $topic
). This only fixes the XSS vulnerability but not the comment posting bug, for which comment.php has to be replaced.
Users still running on earlier versions may also want to apply the above fix manually. I'd like to point out again, though, that there is no offical support for versions older than 1.3.8 any more and that you should at the very least be running Geeklog 1.3.7sr5 plus the comment posting fix linked from this story.