Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Wednesday, April 23 2014 @ 05:16 AM EDT

Geeklog security issues (and 1.3.7sr2 update)

Security
  • Monday, May 26 2003 @ 04:45 PM EDT
  • Contributed by:
  • Views:
    11,754

Security issues have been found with Geeklog 1.3.7sr1 (and older versions), one of which actually opens up the possibility to gain Admin control over a Geeklog site. We are therefore releasing Geeklog 1.3.7sr2 and strongly recommend that you upgrade to that version as soon as possible.

There is an upgrade archive (from 1.3.7sr1) available, as well as a full 1.3.7sr2 release. See the documentation for details.

This is the first major security issue with Geeklog that has been found in a long time and that actually enables an attacker to gain Admin control of a site. It was reported to us a few days ago and we are not aware of any sites being hacked as a result of this, since it does require a bit of knowledge to exploit. However, since we do take security seriously, we would like to point out again that it is important that you install this update ASAP.

For those who are still running on versions older than 1.3.7sr1 and who, for whatever reason, can not upgrade the entire site now, please do at least this:

  1. Make sure you have the following variables in your config.php:
    $_CONF['cookie_session']                = 'gl_session';
    $_CONF['cookie_name']                   = 'geeklog';
    $_CONF['cookie_password']               = 'password';
    $_CONF['cookie_theme']                  = 'theme';
    $_CONF['cookie_language']               = 'language';
    $_CONF['cookie_lastvisit']              = 'LastVisit';
    $_CONF['cookie_lastvisittemp']          = 'LastVisitTemp';
    
    $_CONF['cookie_ip']                     = 0;
    $_CONF['default_perm_cookie_timeout']   = 604800;
    $_CONF['session_cookie_timeout']        = 7200;
    $_CONF['cookie_path']                   = '/';
    $_CONF['cookiedomain']                  = '';
    $_CONF['cookiesecure']                  = 0;
    
    Actual values may differ - just make sure you have all those variables defined.
  2. Only then replace the file system/lib-sessions.php with the one that is included in the 1.3.7sr2 full or upgrade tarball.
  3. Disable image upload by setting
    $_CONF['maximagesperarticle']   = 0;
    $_CONF['allow_user_photo']    = 0;
    in your config.php

The above steps should only be considered a temporary measure. If you're still running on versions older than 1.3.7sr1 (and thus can not upgrade to 1.3.7sr2 by simply replacing the files from the upgrade tarball) your site may be vulnerable to other security issues that have been fixed in previous releases. So now would be a good time to finally make that upgrade!

bye, Dirk

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Monday, May 26 2003 @ 07:46 PM EDT
Does 1.3.7sr2 contain the various other changes and fixes from CVS, or is it only to address this specific security issue?
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Blaine on Monday, May 26 2003 @ 08:39 PM EDT
The 1.3.7 SR2 releasre only contains the Security Fix and is branch off of 1.3.7

The current CVS release has all the new code that will be the 1.3.8 release.

Blaine
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Thursday, June 05 2003 @ 04:06 PM EDT
alert("as of June 5, 2003 newsphp is vunerable to xss - discovered by morning_wood http://exploitlabs.com")
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:rawdata on Thursday, June 05 2003 @ 07:38 PM EDT
morning_wood must not any good. Geeklog doesn't have any files by that name. Nice try.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:ScurvyDawg on Tuesday, May 27 2003 @ 03:51 AM EDT
I will do everything as you instruct but I do have one question.

With these new settings, image uploading is turned off? Is that altogether? Meaning no images uploading into the database is now allowed??

Sorry if I misunderstand, that is why I ask.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Dirk on Tuesday, May 27 2003 @ 05:15 AM EDT
The above instructions to turn off image upload are only for those who are running an old version of Geeklog. It's meant as a temporary measure prior to an upgrade to 1.3.7sr2.

If you upgrade to 1.3.7sr2 right away, you don't need to turn off image upload, since the upgrade includes fixes for this vulnerability.

And, yes, setting both $_CONF['maximagesperarticle'] and $_CONF['allow_user_photo'] to 0 will prevent any form of image upload in Geeklog (at least for the core functions - plugins are a different matter ...).

bye, Dirk
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Tuesday, May 27 2003 @ 04:45 PM EDT
Oh oh. I use the menu plugin, which hacks the main index.php. I guess I'll have to re-install the plugin. Does anyone know if it works with this new version?

It seems what we are talking about here is completely re-installing the site.

Dang.
  • Regarding the menu plugin
  • Authored by:chief123 on Tuesday, May 27 2003 @ 05:20 PM EDT
Actually the index.php part of the update was released a few days ago.

I asked then about the menu plugin which replaces the *original* index.php and there weren't any responses except someone saying theirs was working.

But, it seems to me from trying to compare the new index.php and the menu plugin version of index.php that they are different.

So I uninstalled the menu plugin since I wanted the security fix more than the cool menus. I'd like to have both though if someone has a definitive answer.

  • Regarding the menu plugin
  • Authored by:Anonymous on Tuesday, May 27 2003 @ 09:04 PM EDT
Well, I just did the upgrade and the menu plugin does indeed work just fine. I think "SOMEBODY" must have done something here in anticipation of this potential problem. Tomorrow I will try to find out why the plugin still works. Too tired right now and PHP is still much too new to me.

I'm a happy camper, even if geeklog is something of a black box to me.
  • Bug in security patch?
  • Authored by:klync on Tuesday, May 27 2003 @ 05:23 PM EDT
I installed the upgrade package, replacing the existing files one at a
time after comparing for differences. Well, everything seemed fine,
but now some of my users are having problems. People who were
given story.edit permissions are being denied, and the error log
shows a blank space where their user name should be (i.e. "User
tried to illegally submit or edit story 20030527171709411 ). All
other aspects of the site treat the person like they're logged in,
except this.
  • Bug in security patch?
  • Authored by:Dirk on Tuesday, May 27 2003 @ 06:21 PM EDT
Make sure the topic permissions for those users are correct.

The missing user name in the error.log enty is a bug: The variable $_USER isn't declared as a global variable in function submitstory() in admin/story.php. It shouldn't have anything to do with your problems, though.

bye, Dirk
  • Bug in security patch?
  • Authored by:klync on Wednesday, May 28 2003 @ 09:58 AM EDT
Thanks Dirk,

That seems to have worked. It's ironic that I had the topic/group
permissions set up wrong the whole time, but didn't notice because
of the bug.

My apologies to the developers who provided the upgrade, for
insinuating that the fix was broken. I'm glad I'm wrong!
  • How to update
  • Authored by:Anonymous on Wednesday, May 28 2003 @ 11:58 AM EDT
Is there some nice way to update and keep the changes I've made
to the files? I can diff each file but I'm hoping there is a script :-)

Yes, I'm lazy
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Wednesday, May 28 2003 @ 04:21 PM EDT
I use version 1.3.6 but the documentation doesn't specifically mention if I need to upgrade my db. Can someone please clarify this for me? Is 1.3.6 some sort of black-sheep version that most people don't use or something?

If I misunderstood the documentation, then apologies in advance.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Wednesday, May 28 2003 @ 04:37 PM EDT
I don't believe there is any DB changes from 1.3.6 to 1.3.7.

And yeh .. you really should upgrade ;)
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Dirk on Wednesday, May 28 2003 @ 05:12 PM EDT
There were database changes from 1.3.6 to 1.3.7 - or rather fixes for wrong values in some of the older versions.

There have always been database changes when the Geeklog version number changes (e.g. from 1.3.6 to 1.3.7, but not from 1.3.7 to 1.3.7sr1).

And 1.3.6 is not a "black sheep version" - not sure why you would think that.

bye, Dirk
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Wednesday, May 28 2003 @ 05:52 PM EDT
My point is that my geeklog-1.3.7sr2/sql/updates directory has upgrade scripts for lots of versions but nothing for 1.3.6 to 1.3.7. If there are db changes, then shouldn't there be a script? Apparently not, since it says "the installation script" which I now see is different from an "sql update script" (as found in sql/updates) will do the changes for me. Which leaves me wondering why there isn't a php file for 1.3.6 to 1.3.7. Oh well, i'll try installing and see what happens. Thanks.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Dirk on Wednesday, May 28 2003 @ 06:27 PM EDT
Simple reason: The changes from 1.3.6 to 1.3.7 are hard-coded in the install script.

bye, Dirk
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Thursday, May 29 2003 @ 12:23 AM EDT
I tried upgrading my 1.3.6 to 1.3.7sr2, but every time I get to the install script step, the db upgrade fails. However, if I just forget about that and load up the site, everything works just fine, as far as I can tell.

The error I'm getting from the install script is:
1044: Access denied for user: 'FOO@localhost' to database 'FOO'

Naturally, I've replaced my user and db names with FOO for obfuscation.

What can I do here? The site seems to work, and the user/db/password are clearly working because the site, using the 1.3.7sr2 scripts, is clearly getting accessed and serving up the right stuff. So what would possibly cause the access error?

One strange bit about the setup I have. I have to work with the system that I'm given. By default the web-accessible directory is ~, not ~/public_html/. So, I have geeklog installed in ~/geeklog-1.3.7sr2/ and then copied ~/geeklog-1.3.7sr2/public_html/* to ~ (with cp -a). Clearly config.php and lib-common.php are doing the "right thing" and reading the files from the appropriate locations, but is there some odd bit of the upgrade script that would prevent a setup like this from working? It doesn't seem to make sense to me, but I don't understand php/mysql.

Any and all help appreciated. :^) Can provide more details, if necessary. ;^)
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Friday, May 30 2003 @ 07:40 PM EDT
I think I will wait for the patch to stabalize. I think I have less chance being hacked then taking a chance and having to deal with a customers site all weekend. Damn, things 'just' got quiet!
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Dirk on Saturday, May 31 2003 @ 03:58 AM EDT
I wouldn't wait with the upgrade, if I were you.

The above post seems to be a local issue with the poster's MySQL install (and I think it was solved on IRC yesterday). Nothing to do with Geeklog or the update.

To repeat: This is a really serious issue. If you know how, you can log into any unpatched site as the Admin. Surely, you don't want that?

bye, Dirk
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Saturday, May 31 2003 @ 04:41 PM EDT
this really IS a serious issue

i run a 1.3.6. (in a subdirectory) and today someone hacked into my site (root) and deleted index.shtml and has put index.php instead.
(that's the way i found out about the exploit, when i got to here ... this reminds me ... there shuld be a mailinglist for admins of geek, where dirk (or someone with proper permission) could inform us about that kind of serrious issues ... maybe this mailing list could be part of geek instalation ... it could (minding user settings) automatically mail-out new articles in folder anouncments, or all of them, or something)

that means that any file can be removed by the hacker (or is it cracker)?

i made temporary changes to my geeklog, hope all goes well with upgrade in next day or so.



ps
anyone can search for
Powered By GeekLog
if he/she has reason(s)
  • Geeklog security issues - this really IS a serious issue
  • Authored by:gape on Saturday, May 31 2003 @ 04:45 PM EDT
(i allways do that stupidity - sorry for double posting)
**************************


this really IS a serious issue

i run a 1.3.6. (in a subdirectory) and today someone hacked into my site (root) and deleted index.shtml and has put index.php instead.
(that's the way i found out about the exploit, when i got to here ... this reminds me ... there shuld be a mailinglist for admins of geek, where dirk (or someone with proper permission) could inform us about that kind of serrious issues ... maybe this mailing list could be part of geek instalation ... it could (minding user settings) automatically mail-out new articles in folder anouncments, or all of them, or something)

that means that any file can be removed by the hacker (or is it cracker)?

i made temporary changes to my geeklog, hope all goes well with upgrade in next day or so.



ps
anyone can search for
Powered By GeekLog
if he/she has reason(s)
  • Geeklog security issues - this really IS a serious issue
  • Authored by:Dirk on Saturday, May 31 2003 @ 04:52 PM EDT

The issues that are fixed with 1.3.7sr2 should not enable anyone to upload files to your site. You may have another problem in your setup (see, for example, the comments on issues with Gallery in this thread).

Also, there is a geeklog-announce mailing list - the update was announced there. And, of course, the "GL Version Test" link in your Admin menu.

bye, Dirk

  • Geeklog security issues - this really IS a serious issue
  • Authored by:gape on Saturday, May 31 2003 @ 05:08 PM EDT
i made changes yust now
i still run v1.3.6.
i hope i don't have another problem

i'm going for geeklog anounce mailinglist right now

version test tells me only abut my current version and currently the newest version of geek.

i know that i'm running old version, but i had a nitemare upgrading to 136 (i got thru yust all the bugs there were, the one that emptyed my database all ower again (couse of incomlete language file) harased me most), and i wanted to upgrade to next clean version, that would be 1.3.8., but it seems that i will have to upgrade to 137 first.
i won't even ask when the 138 release will be released.




nevertheles

i must upgrade one more install of geek that i administer, this one is version 137r1
that means that i can replace old files with new ones.
the only trouble is with config.php
is there any new stuff in it besides warning about alowable html???


  • Geeklog security issues - this really IS a serious issue
  • Authored by:gape on Saturday, May 31 2003 @ 06:11 PM EDT
i upgraded all files that are in tarball except config.php
version test tells me that i'm still running version 137sr1.
i see that version is read from config.php ...
i suppose i'm encouraged to look at cvs or something for changes of config.php.
if there are yust these two changes, pls let me know.
it's too late now for a 'cvs jurney'.
  • Geeklog security issues - this really IS a serious issue
  • Authored by:Dirk on Saturday, May 31 2003 @ 06:24 PM EDT
Yes, the only changes in config.php were the version number and the warning about allowed HTML.

bye, Dirk
  • Geeklog security issues - this really IS a serious issue
  • Authored by:gape on Saturday, May 31 2003 @ 06:53 PM EDT
tnx a lot
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:dgaussin on Sunday, June 01 2003 @ 05:49 AM EDT
I installed the upgrade package on a fresh 1.3.6sr1 replacing all the existing files. And since, I can't make any changes in the block editor. I tried to rename a block or uncheck active field. Nothing happens and I have no error message. I tried the same before 1.3.6sr2 and everything worked then... Any idea ?
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Monday, June 02 2003 @ 09:23 AM EDT
First casualties of the recently announced Geeklog Admin Access and Execution of Arbitrary Code vulnerabilities: php-princess.net, info-choc.com, marylandarts.net, rocteur.cc

http://www.rootsecure.net/?p=link&l=2069
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:rawdata on Monday, June 02 2003 @ 05:23 PM EDT
Why don't you be more specific in what you did to hack up those sites?
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Monday, June 02 2003 @ 05:00 PM EDT
A quick-and-dirty upgrade howto to upgrade
from 1.3.5 to 1.3.7sr2 ?

Thanks a lot.

  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Monday, June 02 2003 @ 05:03 PM EDT
I forgot to mention what I already did:

- I backed up my /home/geeklog directorio (tar.gz)
- I backed up /var/lib/mysql/database/geeklog*

I imagine I must run something like:

mysql geeklog -u root -p < upgrade_from1.3.5_to_1.3.6
mysql geeklog -u root -p < upgrade_from1.3.6_to_1.3.7

and then unpack the 1.3.7sr2 tar.gz file.

Is that right?

Thanks a lot for your help, guys.

  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:rawdata on Monday, June 02 2003 @ 05:39 PM EDT
Sorry, I didn't see your last comment because the page was cached. I'm not sure what you need to run from the command line. I don't think you have to do incremental upgrades, but Dirk or another developer would know for sure.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:rawdata on Monday, June 02 2003 @ 05:19 PM EDT
-- Backup your entire database and files
-- Upload 1.3.7sr2 and overwrite your files
-- Use the install script but select upgrade instead of new install
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Tuesday, June 03 2003 @ 05:50 AM EDT
I unpacked the tar.gz file, and modified the config.php and lib-common.php files. I ran the admin/check.php script, obtaining:

>Results: 3 of 4 tests performed: 3 successful, 0 failed.
>Test passed
>Congratulations! Your Geeklog site is set up properly and ready to go.

Then I ran the install.php script and upgraded database from 1.3.5. But when I visit my geeklog site I get:

1054: Unknown column 'photo' in 'field list'

Any idea?
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Tuesday, June 03 2003 @ 06:01 AM EDT
I imagined what happened and did a:

ALTER DATABASE users ADD photo varchar(128) DEFAULT NULL

in pypmyadmin, and now works. Thanks a lot.

(I'm still in doubt about WHY the automatic upgrade failed).

Anyway, thanks all.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:gape on Monday, June 02 2003 @ 05:49 PM EDT
well
i upgraded succesfully
from 136 to 137sr2

the only thing i would like to mention:
the upgrade instructions don't tell that i should restore public_html/images/articles
and so on
i think the /icons are needed too ...

yust a sugestion ... there arent that many places you can upload images (those public_html/images/articles are from direst upload ie
// Story Settings
$_CONF['maximagesperarticle'] )

the wounreability ...


tnx for the cool software ...
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Monday, June 02 2003 @ 07:42 PM EDT
I upgraded my 1.36 site to 1.3.7sr2 (copied files and ran the upgrade option in the install). Everything went fine, but when I do a version check it still says I am running 1.3.6.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:rawdata on Monday, June 02 2003 @ 07:54 PM EDT
Sounds like you didn't upgrade your config.php file. That is where the version is located.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Monday, June 02 2003 @ 08:08 PM EDT
Yeah...that was probably it. Trying to save my config...I'll try that out.
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Tuesday, June 03 2003 @ 07:23 AM EDT
After updating I've lost the "username/password" block. How do I add it? I imagine it's just adding a new block with a given code name such as "block_login" or something like that.

Please help :(
  • Geeklog security issues (and 1.3.7sr2 update)
  • Authored by:Anonymous on Wednesday, June 04 2003 @ 11:58 PM EDT
I believe that's the User Functions block (user_block).