Contributed by: Dirk on Sunday, June 15 2008 @ 09:59 am EDT
Last modified on
While tracking the security issues that have plagued other web applications, we have become aware that Geeklog is vulnerable from so-called Cross-Site Request Forgery[*1] (CSRF) attacks. In a nutshell, the idea is for an attacker to perform operations on a site with someone else's privileges. There are multiple possible attack vectors, including tricking you to click on a link or embedding what looks like an image but what is really a script.
Unfortunately, fixing these issues required a lot of changes in Geeklog's code and so we can't provide a simple security fix for earlier releases. The necessary infrastructure has been implemented in Geeklog 1.5.0[*2] , which we now consider safe from these attacks. Please note that many 3rd-party plugins are also affected and will also have to be updated.
For older Geeklog versions, here are a few recommendations to minimize the risks:
Plugin authors wanting to update their plugins should read the article on CSRF protection[*3] in the Geeklog wiki.