Security

An XSS vulnerability has been found by Mohammad Sikkandar Sha in the demo code for WideImage which is used in the File Manager shipped with Geeklog 2.1.0. The File Manager itself has access control and is not affected by the vulnerability.

To fix this, please remove the two following directories as soon as possible:

• public_html/filemanager/connectors/php/inc/vendor/wideimage/demo
• public_html/filemanager/connectors/php/inc/vendor/wideimage/test

Thank you

We have received two reports about security issues that affect Geeklog in both current versions, i.e. 1.8.2 and 2.0.0 (which is not officially out yet, but in release candidate state):

• High-Tech Bridge Security Research Lab reported an XSS in the calendar_type parameter in the Calendar plugin.
• Trustwave Spiderlabs reported XSS in the install script, the Configuration, as well as in the Admin interfaces for the Polls plugin and the Topic editor.

To address these issues, we are releasing Geeklog 1.8.2sr1 (complete archive; also available as an update from 1.8.2) and Geeklog 2.0.0rc2.

An SQL injection vulnerability in the EasyFile plugin has been found and published by a user who calls himself Hellboy (the vulnerability is reported as being in Geeklog, but it really only affects the EasyFile plugin).

Given that the EasyFile plugin hasn't been updated in years, we assume that it is no longer maintained. If you use this plugin on your site, we recommend that you uninstall the plugin and remove all the files that belong to it as soon as possible.

We have removed the EasyFile plugin from our download area. If there are any other sites out there mirroring the plugin, please remove it from those sites as well. Thank you.