Geeklog security issues (and 1.3.7sr2 update)
- Monday, May 26 2003 @ 04:45 pm EDT
- Contributed by: Dirk
- Views: 27,876
Security issues have been found with Geeklog 1.3.7sr1 (and older versions), one of which actually opens up the possibility to gain Admin control over a Geeklog site. We are therefore releasing Geeklog 1.3.7sr2 and strongly recommend that you upgrade to that version as soon as possible.
There is an upgrade archive (from 1.3.7sr1) available, as well as a full 1.3.7sr2 release. See the documentation for details.
This is the first major security issue with Geeklog that has been found in a long time and that actually enables an attacker to gain Admin control of a site. It was reported to us a few days ago and we are not aware of any sites being hacked as a result of this, since it does require a bit of knowledge to exploit. However, since we do take security seriously, we would like to point out again that it is important that you install this update ASAP.
For those who are still running on versions older than 1.3.7sr1 and who, for whatever reason, can not upgrade the entire site now, please do at least this:
- Make sure you have the following variables in your config.php:
Actual values may differ - just make sure you have all those variables defined.$_CONF['cookie_session'] = 'gl_session'; $_CONF['cookie_name'] = 'geeklog'; $_CONF['cookie_password'] = 'password'; $_CONF['cookie_theme'] = 'theme'; $_CONF['cookie_language'] = 'language'; $_CONF['cookie_lastvisit'] = 'LastVisit'; $_CONF['cookie_lastvisittemp'] = 'LastVisitTemp'; $_CONF['cookie_ip'] = 0; $_CONF['default_perm_cookie_timeout'] = 604800; $_CONF['session_cookie_timeout'] = 7200; $_CONF['cookie_path'] = '/'; $_CONF['cookiedomain'] = ''; $_CONF['cookiesecure'] = 0;
- Only then replace the file system/lib-sessions.php with the one that is included in the 1.3.7sr2 full or upgrade tarball.
- Disable image upload by setting
in your config.php$_CONF['maximagesperarticle'] = 0; $_CONF['allow_user_photo'] = 0;
The above steps should only be considered a temporary measure. If you're still running on versions older than 1.3.7sr1 (and thus can not upgrade to 1.3.7sr2 by simply replacing the files from the upgrade tarball) your site may be vulnerable to other security issues that have been fixed in previous releases. So now would be a good time to finally make that upgrade!
bye, Dirk