Security

Attention all Geeklog 1.3 Admins

I hope you programmers out there never have to do what I'm about to do. A security hole has been brought to my attention and all Geeklog 1.3 admins will need to apply this fix. Luckily a 'good guy' found this before it became is big issue.

During all the session management changes from a while back I neglected to add back the MD5 hash of the users password to a cookie and check that. As a result, it is possible to have your Geeklog 1.3 system compromised by simply editing the cookie and changing the user ID to that of a Geeklog admin. This hole is about as critical as a hole can get. If you are running Geeklog 1.3 you will need to go to CVS and download the latest copies of system/lib-sessions.php and public_html/users.php.

There is a small but nasty security bug with fresh installations of Geeklog 1.3. This only pertains to fresh installations of Geeklog 1.3. Turns out with fresh installations, the data includes one orphaned group_assignments record with a user ID of 13. Geeklog\'s user table with on a fresh installation only has 12 users. So the first user that creates an account has access to the GroupAdmin Group and, subsequently, the UserAdmin Group.

If you have already installed a fresh version of Geeklog 1.3 then you need to edit the user with a uid of 13. To get that, do a \"SELECT username FROM users WHERE uid = 13\" in your favorite MySQL editor. Then in the admin/users.php page edit that user and uncheck both the GroupAdmin Group AND the UserAdmin Group and be sure to leave the Normal User and Logged-in User boxes checked.

Thanks to whoever posted that nasty on our SourceForge site.