Contributed by: Dirk Saturday, April 04 2009 @ 01:40 pm EDT
Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.
The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog
1.4.1, 1.5.0, and 1.5.1.
As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users:
In Geeklog 1.5.x, go to Configuration > Geeklog > Miscellaneous > Cookies and change the option "Cookies embed IP?" to "True". On older Geeklog releases, open your config.php file, find the option
$_CONF['cookie_ip'] and change the value to
= 1; (from
= 0). The downside of this configuration change is that the long-term cookie won't work any more for users with changing IP addresses, i.e. they will have to log in again more often.