Contributed by: Dirk Sunday, February 19 2006 @ 03:30 pm EST
James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code. To fix those issues, we are releasing Geeklog 1.4.0sr1 and 1.3.11sr4 and strongly suggest that you install those updates as soon as possible.
To upgrade from Geeklog 1.3.11sr3, use the 1.3.11sr4 upgrade archive[*3] . If you're running on an older 1.3.11 release, you will have to install the previous updates first. You can, of course, always choose to update to 1.4.0sr1 directly, following the usual upgrade instructions[*4] .
Upgrading to 1.4.0sr1 is also what we suggest to anyone using a Geeklog version older than 1.3.11, as the reported issues also affect all earlier versions.