Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

Downloads last 2 weeks


Welcome to Geeklog Sunday, September 25 2016 @ 11:40 am EDT

Geeklog vulnerable to CSRF

Security
  • Contributed by:
  • Views:
    10,066

While tracking the security issues that have plagued other web applications, we have become aware that Geeklog is vulnerable from so-called Cross-Site Request Forgery (CSRF) attacks. In a nutshell, the idea is for an attacker to perform operations on a site with someone else's privileges. There are multiple possible attack vectors, including tricking you to click on a link or embedding what looks like an image but what is really a script.

Unfortunately, fixing these issues required a lot of changes in Geeklog's code and so we can't provide a simple security fix for earlier releases. The necessary infrastructure has been implemented in Geeklog 1.5.0, which we now consider safe from these attacks. Please note that many 3rd-party plugins are also affected and will also have to be updated.

For older Geeklog versions, here are a few recommendations to minimize the risks:

  • Log out of your Geeklog site once you're done instead of letting the session expire. You may also want to lower the length of time your session is valid (see the "Remember Me For" option in "My Account").
  • Don't visit other websites, especially unknown sites, while you're logged in to your Geeklog site. Alternatively, use two separate browsers, i.e. two different programs. Using separate browser windows or tabs will not help.
  • Consider using an account with a minimal amount of privileges and use a separate account with more privileges only when necessary. For example, to publish stories you don't really need to be a member of the Root group, thus minimizing the potential damage that can be done in the event of a successful CSRF attack on that account.

Plugin authors wanting to update their plugins should read the article on CSRF protection in the Geeklog wiki.

Trackback

Trackback URL for this entry:
https://www.geeklog.net/trackback.php/csrf

[...] issues in Geeklog that we haven't disclosed yet: All Geeklog versions prior to 1.5.0 are vulnerable to cross-site request forgery attacks. There are also some security issues in kses, the HTML filter we're using in Geeklog.Documentation for [...] [read more]

[...] in future releases. Geeklog 1.7.0 also addresses everybody's favourite nuisance, the problem with the expiring CSRF token : Now when the token expires, you will be asked for your password again, after which you can continue as normal (and [...] [read more]

The following comments are owned by whomever posted them. This site is not responsible for what they say.