Welcome to Geeklog Friday, August 14 2020 @ 04:27 am EDT

Security

Security issues in Geeklog 1.3.5

  • Monday, June 10 2002 @ 02:45 am EDT
  • Contributed by:
  • Views: 5,689
Security

We have been made aware of several security issues with Geeklog 1.3.5 (earlier versions are probably affected as well). These allow for the injection of malicious javascript code which could be used e.g. to take over the admin's cookie. There is also an issue that allows the injection of MySQL requests from outside, possibly exposing data or even damaging the database (under certain circumstances). Details about these problems will be posted on the Bugtraq list later today.

In order to secure your installations, we have released Geeklog 1.3.5sr1 which addresses these issues. You are strongly encouraged to upgrade to this version as soon as possible.

If your site is running Geeklog 1.3.5, you could also download this file which contains just the affected files. After uploading them, your installation will be secure. Please note that this may overwrite customisations you may have made to the affected files.

Checking *Admin account passwords

  • Saturday, May 04 2002 @ 04:33 pm EDT
  • Contributed by: Anonymous
  • Views: 4,869
Security

For those who may not realize it, there are several Admin accounts that have default passwords (StoryAdmin, etc), and only the main "Admin" account is checked in the getBent() PHP block. By default, all *Admin accounts have the "password" password, and an intelligent person could figure that out, and exploit your system.

If you would like to see if you are vulnerable to this sort of attack, run this query in mySQL, or add it to getBent() like I did:

select count(*) as count from gl_users where username like '%Admin' and passwd=md5('password')

That will tell you if any of your *Admin accounts are vulnerable. Notice the slight differences from the query in getBent():

select count(*) as count from users where username='Admin' and passwd='" . md5('password') . "'

Lost password

  • Tuesday, April 23 2002 @ 10:48 pm EDT
  • Contributed by:
  • Views: 4,951
Security I noticed that when we lose a password, geeklog will send us a new \'system-generated\'password. I have one concern, with the ease of requesting for new password.

GL does not verify if you are truly the user requesting for new password. As such, a prankster can look for a list of users ie. Admin etc and request for a new password for the person. It would be a pain if the this becomes a day to day affair.

Are there any plugins patches that we can add to help identify the user ie mom\'s maiden name or something along those lines?

Thank you.

Page navigation