Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Thursday, April 24 2014 @ 03:35 PM EDT

Geeklog 1.5.2sr2

Security
  • Saturday, April 04 2009 @ 01:40 PM EDT
  • Contributed by:
  • Views:
    9,731

Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.

You can download an upgrade archive for Geeklog 1.5.2sr1 or the complete 1.5.2sr2 tarball to upgrade from any previous version.

The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog 1.4.1, 1.5.0, and 1.5.1.

As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users:

In Geeklog 1.5.x, go to Configuration > Geeklog > Miscellaneous > Cookies and change the option "Cookies embed IP?" to "True". On older Geeklog releases, open your config.php file, find the option $_CONF['cookie_ip'] and change the value to = 1; (from = 0). The downside of this configuration change is that the long-term cookie won't work any more for users with changing IP addresses, i.e. they will have to log in again more often.

Trackback

Trackback URL for this entry:
https://www.geeklog.net/trackback.php/geeklog-1.5.2sr2

[...] Geeklog 1.5.2sr2 ::Ben 05 avril 2009 - 08:49 Lu 0 Nouvelle faille de sécurité et nouvelle security release Geeklog 1.5.2sr2 pour les versions 1.5.0 à 1.5.2.Bookoo of the Nine Situations Group posted an SQL injection [...] [read more]

[...] de la versión anterior.Este aviso fue aviso del stio Geeklog.net y puede ver mas detalles en el siguiente enlace Trackback Trackback URL for this entry: http://glhispano.alcancelibre.org/trackback.php/geeklog-1.5.2sr2 No trackback [...] [read more]

[...] cada vez que cambie su IP, puesto que la galleta (cookie) para sesión de largo plazo dejará de funcionar. Fuente: Geeklog. Fuente: Alcance Libre Leave a Reply Name (required) Mail (will not be published) (required) Website POPULAR [...] [read more]

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Geeklog 1.5.2sr2
  • Authored by:LWC on Saturday, April 04 2009 @ 02:44 PM EDT
By "as a temporary measure", did you mean "as a temporary measure until you actually uprade"? That is, is it not needed for those who actually employ the upgrade?
  • Geeklog 1.5.2sr2
  • Authored by:Dirk on Saturday, April 04 2009 @ 03:03 PM EDT

Yes, that's what I meant.

  • Log in not working on geeklog 1.4.1
  • Authored by:::Ben on Sunday, April 05 2009 @ 04:22 AM EDT
After I sign in on a geeklog 1.4.1 patched is like I'm not log in, user login block is still there and I can't access to admin aera. If I un-patch the cms and refresh the page I'm log in and can now access to the admin features.

::Ben

---
Support and French community [ www.geeklog.fr ]
  • Log in not working on geeklog 1.4.1
  • Authored by:1000ideen on Sunday, April 05 2009 @ 04:40 AM EDT
I`m afraid it does not work with GL 1.4.1. Unfortunately I found out after patching about 10 installations.

A replacement file for GL 1.4.1 is urgently needed.
  • Log in not working on geeklog 1.4.1
  • Authored by:Dirk on Sunday, April 05 2009 @ 04:50 AM EDT

Yeah, sorry about that - the 1.5.x code relies on another change in lib-security.php that's not present in 1.4.1.

  • lib-sessions.php for Geeklog 1.4.1
  • Authored by:Dirk on Monday, April 06 2009 @ 03:02 PM EDT

As it turns out (see above), the upgrade archive does not work with Geeklog 1.4.1. An updated lib-sessions.php for Geeklog 1.4.1 is now available.

Do not use that file with Geeklog 1.5.x!

  • Geeklog 1.5.2sr2
  • Authored by:mystral-kk on Thursday, April 09 2009 @ 08:08 PM EDT
Applying this patch (lib-session.php) to Geeklog-1.5.0 prevented me from loggin into the site (on MS Windows and Linux). When I undid the patch, I was able to log in again. I don't have this inconvenience with GL-1.5.1, though.


---
-- mystral-kk, "Every cloud has a silver lining."