Security

Geeklog 1.3.9sr2 and 1.3.8-1sr6 fix the following security issues:

1. A cross site scripting issue, due to the use of the (unfiltered) variable $topic in most of the language files (thanks to the anonymous submitter of bug #293).
2. It was possible to post comments to stories and polls for which comments had been disabled. The comments were never displayed, though, but did show up in the What's New block.

The upgrade to 1.3.9sr2 also includes a lib-plugins.php that fixes problems with plugins on PHP 5. The complete 1.3.9sr2 tarball also includes updated PEAR packages that should resolve email problems that some users had (see this story for details).

Apparently, Spammers have found a way to post huge amounts of anonymous comment spam on various Geeklog sites, even though these sites had anonymous comments switched off.

The updates to Geeklog 1.3.9sr1 and Geeklog 1.3.8-1sr5 fix this problem now. Fixed versions of the affected comment.php are also available for 1.3.7sr5 and for 1.3.6, even though these versions aren't really supported any more and we would strongly advise you to upgrade.

Geeklog 1.3.9sr1 (which is also available as a complete tarball) includes additional fixes for several places where the topic permissions hadn't been checked properly as well as some other bugfixes that are not security-related (details can be found here).

These releases address the following security issues:

1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
3. It was possible to delete other people's personal events if you knew the event ID.
4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

As usual, there's an upgrade and complete tarball for 1.3.8-1sr4. The 1.3.7sr5 upgrade is only available as an upgrade tarball and requires 1.3.7sr4.