Geeklog 1.5.1 Security Fixes
- Monday, September 22 2008 @ 03:09 PM EDT
- Contributed by:Dirk
Geeklog 1.5.1 addresses the following security issues:
- The recently reported file upload issue in FCKeditor. A fix is now included. When upgrading from earlier versions, we strongly recommend that you remove your old copy of the "fckeditor" directory and replace it with the version that ships with Geeklog 1.5.1 to ensure that old files are removed and replaced properly.
- Mark Evans reported that our protection against direct execution of include files did not work properly on non-case sensitive file systems (e.g. on Windows). This only affects sites that weren't installed correctly in the first place (the files in question should not be reachable from the web). This includes sites installed through Fantastico, though.
The following issues are bugs in Geeklog 1.5.0 regarding the access control for stories:
- It was possible to view stories with a publication date in the future and stories that had the draft flag set if you knew their story ID.
- It was possible to post comments on unpublished stories if you knew their story ID.