Security issues in Geeklog 1.3.5
- Monday, June 10 2002 @ 02:45 am EDT
- Contributed by: Dirk
- Views: 6,927
We have been made aware of several security issues with Geeklog 1.3.5 (earlier versions are probably affected as well). These allow for the injection of malicious javascript code which could be used e.g. to take over the admin's cookie. There is also an issue that allows the injection of MySQL requests from outside, possibly exposing data or even damaging the database (under certain circumstances). Details about these problems will be posted on the Bugtraq list later today.
In order to secure your installations, we have released Geeklog 1.3.5sr1 which addresses these issues. You are strongly encouraged to upgrade to this version as soon as possible.
If your site is running Geeklog 1.3.5, you could also download this file which contains just the affected files. After uploading them, your installation will be secure. Please note that this may overwrite customisations you may have made to the affected files.
With CVS not in a releasable state and Tony being out of town, this issue caught us at some unfortunate time in the development process. So what you have here is a joint effort of the rest of the team to fix theses issues and secure your data again.
Since Geeklog 1.3.6 is not ready for prime time yet, it was decided to base this release on Geeklog 1.3.5. Besides the security issues, it also includes some minor fixes, e.g. the missing field 'emailfromadmin' and a fix for the batch user import. Details are available from the docs/history file that comes with this release.
We would like to thank the people at olympos.org who found the security issues and gave us the necessary time to fix them.
bye, Dirk