Security

Mark Evans informs us that Saif El-Shere reported XSS in the bbcode of the Forum plugin for glFusion. Due to the shared history of the two projects, these XSS also exist in the Forum plugin for Geeklog. The Forum plugin 2.7.4 fixes these issues.

To upgrade from version 2.7.3, you need to replace these 3 files:

• config.php (for the version number)
• functions.inc (for the upgrade code)
• public_html/include/gf_format.php (which contains the actual fix)

Then simply run the upgrade from Geeklog's Plugin admin panel.

Geeklog 1.7.1sr1 addresses an XSS in the Configuration admin panel, reported by Aung Khant of the YGN Ethical Hacker Group. Due to the built-in CSRF protection this weakness is somewhat harder to exploit but we would nonetheless advise that you secure your site by installing this update ASAP.

In addition to the complete 1.7.1sr1 tarball, there are also update files for Geeklog 1.7.1 and for Geeklog 1.6.1sr1 that contain only a fixed version of the affected file (see the included README file for installation instructions).

Users of older Geeklog releases should consider upgrading to Geeklog 1.7.1sr1 soon (use the complete 1.7.1sr1 tarball to upgrade from any older version).

You may remember the flurry of security issues that Bookoo of the Nine Situations Group reported for Geeklog in April last year. Well, it looks like we missed one issue in those reports: Geeklog's auto login feature is vulnerable to brute force / dictionary attacks. To fix this, we are releasing the following security updates:

• Geeklog 1.6.1sr1 (complete tarball or upgrade from 1.6.1)
• Geeklog 1.5.2sr6 (1.5.2 "Combo" update or upgrade from 1.5.2sr5)

Other versions: The issue is also fixed in Geeklog 1.7.0 (but present in the 1.7.0 beta and release candidate). The 1.5.2sr6 upgrade can also be used for Geeklog 1.6.0, 1.5.1, and 1.5.0. Earlier versions were not tested - we really recommend to upgrade to a newer version (1.6.1sr1 or 1.7.0) instead.