Security

To address the recently posted exploits for insecure installations and for the mcpuk file manager, we are releasing Geeklog 1.4.0sr4.

In this release, we've removed the file manager altogether, so you will no longer be able to upload images through FCKeditor (this will be enabled again when we release Geeklog 1.4.1 with FCKeditor 2.3). We've also added additional protection against code execution in case of insecure installations but suggest that you really protect your Geeklog install properly as explained in the installation instructions and in the FAQ.

We are not releasing any updates for these issues as they wouldn't make much sense. In case of the first exploit, it's really an installation problem that should be fixed and in the case of the file manager, files will have to be removed (as explained in the article linked to above).

Please note that the first issue applies to all Geeklog releases, while the second only applies to all the 1.4.0 releases.

While yesterday's exploit only affected incorrect Geeklog installs, this new one is more serious:

An exploit has been posted for the "mcpuk" file manager that we're shipping with FCKeditor in Geeklog 1.4.0. The exploit allows an attacker to upload and execute arbitrary code.

While FCKeditor is not enabled by default, this exploit works even when FCKeditor is disabled, as it calls the vulnerable file directly. So it is not enough to disable FCKeditor in config.php.

If you don't plan to use FCKeditor on your site, you can simply remove the entire 'fckeditor' subdirectory (from Geeklog's public_html). Otherwise, you will have to remove the file manager as explained below ...

In case you've been wondering about the increased amount of people trying to access a 'plugins' directory on your Geeklog site: Someone has posted a so-called "exploit" for Geeklog and all the script kiddies are now rushing to try it out without really understanding what it does and most importantly why it doesn't work on most of the Geeklog sites out there anyway.

So what is all this about? As is being pointed out in the installation instructions, everything that resides outside of Geeklog's 'public_html' directory should not be accessible via a URL. In other words, those files and directories should reside outside of your webroot. This applies to the config.php file, the 'plugins' directory, and everything else that resides there. The so-called "exploit" can only do harm on sites that have those inside the webroot, so that they can be accessed via a URL. And even then those that installed Geeklog that way but password-protected those directories (as explained in the FAQ) are also save.