Welcome to Geeklog Wednesday, November 22 2017 @ 01:46 pm EST

Geeklog 1.4.0sr3 and 1.3.11sr6

  • Contributed by:
  • Views: 10,760
Security The Security Science Researchers Institute Of Iran (KAPDA.ir) has reported the following security issues in Geeklog:
  1. Possible SQL injection and authentication bypass in auth.inc.php
  2. Possible XSS in getimage.php
  3. Path disclosure in getimage.php and the functions.php of some themes, e.g. the Professional theme

Additionally, an internal code review has revealed another possible SQL injection in the story submission.

We are therefore releasing Geeklog 1.4.0sr3 (complete tarball, upgrade archive) and Geeklog 1.3.11sr6 (upgrade archive, combo update) to address these issues and would suggest that you install these as soon as possible.

Read on for more information ...

getimage.php

If you haven't changed Geeklog's images directory from its default location within the web root, then you actually don't need the getimage.php script and can simply remove it. It is only needed to serve images (for articles and user photos) from a directory outside of the web root.

functions.php

The functions.php file is part of every Geeklog theme and can be used to store theme-specific PHP code. It's often used to give left and right blocks a different appearance. Please check if your theme's functions.php contains any PHP code (it may be empty, in which case you can leave it as is). If it does contain PHP code, please add the following at the beginning of that file (right after the opening PHP tag):

if (strpos ($_SERVER['PHP_SELF'], 'functions.php') !== false) {
    die ('This file can not be used on its own!');
}

Older Geeklog versions

As usual, we only offer support for the current and previous versions of Geeklog (1.4.0 and 1.3.11, respectively). If you're still running an older version, now may be a good time to upgrade.

In the meantime, the above two items (getimage.php and functions.php) also apply to any older Geeklog release. If you're on Geeklog 1.3.9 or 1.3.10, then the new auth.inc.php for Geeklog 1.3.11 should also work with those versions (no guarantees for older releases). Still, it may be better to upgrade now.

A note on FCKeditor

Since we're talking about security issues: A security issue has recently been found in FCKeditor, which we ship with Geeklog 1.4.0. However, the issue affects FCKeditor's file manager which we don't use (we're shipping the MCPUK version of the file manager instead), so Geeklog 1.4.0 installs are not affected, as far as we know. If you want to be on the save side, you can still remove the FileUpload.php script from /path/to/geeklog/public_html/fckeditor/editor/ filemanager/browser/mcpuk/connectors/php/Commands.

Those of you who upgraded FCKeditor to version 2.2 (Geeklog 1.4.0 is shipping with version 2.1), however, should probably upgrade to FCKeditor 2.3.

Geeklog 1.4.1

For Geeklog 1.4.1, we are concentrating on bugfixes and further security enhancements. In fact, the issue regarding auth.inc.php had already been spotted and fixed before the KAPDA report arrived, so it looks like we're on the right track. We expect to have a release candidate of Geeklog 1.4.1 available by the end of June.