Welcome to Geeklog Friday, September 25 2020 @ 10:33 pm EDT

Security

Geeklog security issues (and 1.3.7sr2 update)

  • Monday, May 26 2003 @ 04:45 pm EDT
  • Contributed by:
  • Views: 19,399
Security

Security issues have been found with Geeklog 1.3.7sr1 (and older versions), one of which actually opens up the possibility to gain Admin control over a Geeklog site. We are therefore releasing Geeklog 1.3.7sr2 and strongly recommend that you upgrade to that version as soon as possible.

There is an upgrade archive (from 1.3.7sr1) available, as well as a full 1.3.7sr2 release. See the documentation for details.

This is the first major security issue with Geeklog that has been found in a long time and that actually enables an attacker to gain Admin control of a site. It was reported to us a few days ago and we are not aware of any sites being hacked as a result of this, since it does require a bit of knowledge to exploit. However, since we do take security seriously, we would like to point out again that it is important that you install this update ASAP.

Command & Control Showing Unauthorized Controls

  • Tuesday, May 13 2003 @ 01:34 am EDT
  • Contributed by:
  • Views: 4,866
Security I just noticed this... Using Admin everything looks cool and signing in as a regular user, things are dandy *but* it seems whomever I give Command and Control access will see unauthorized controls....

Static pages - Chatterblock - Faqman - FileMgmt - Forum - Menu Editor and External pages show up in *their* command and control... *but* if they click on it they're faced with a Access Denied page...

Why is it these icons are showing up in the first place? The moderator clearly doesn't have access rights to static pages and most anything else... Also these plug-ins come from different developers but all have something in common for them to show up...

I am not nailing it... Has anyone seen this before or is this how it works by default?

Thanks for any info on this :)

Potential Security Flaw

  • Monday, May 12 2003 @ 10:50 pm EDT
  • Contributed by:
  • Views: 7,245
Security A friend of mine signed up and I forgot to assign him to a private group I created called "friends" on my geeklog.

He wanted to view the hidden stories but he couldn't... he found a way to get to the security settings by clicking on the "mail story" button.

Well this confused me because he wasn't supposed to be able to see the story anyway to mail it.

I had only checked the site as an anonymous user and it's true that when I was anonymous I couldn't see the topic listed in the "sections" list nor could I see the story listed on the front page.

Yet when I created a simple user account I could suddenly read the lead section of the story and have access to e-mail the entire story to myself. If I click on the "read more" link I am told that I am not a member of the site, although technically I am a member since I created an account.

Sort of nit picky on that part but the security flaw is sort of an issue.

Page navigation