Welcome to Geeklog, Anonymous Sunday, May 26 2024 @ 11:33 pm EDT


Forum plugin 2.7.3 security fix

  • Sunday, May 02 2010 @ 04:45 am EDT
  • Contributed by:
  • Views: 8,640

The Forum plugin 2.7.3 addresses a security issue where an XSS was possible in anonymous usernames, reported by Jaloh Smith.

To upgrade from version 2.7.2, you only need to replace 3 files:

  • config.php (for the version number)
  • functions.inc (for the upgrade code)
  • public_html/createtopic.php (which contains the actual fix)

Then simply run the upgrade from Geeklog's Plugin admin panel.

Geeklog 1.6.0sr2

  • Sunday, August 30 2009 @ 01:05 pm EDT
  • Contributed by:
  • Views: 9,286

Last week, an exploit was published that allows unauthorized direct uploads to a Geeklog site, using the PHP connector included with FCKeditor. The uploads still have to go through FCKeditor's filters, so it's not possible to use this to upload scripts and the integrity of the Geeklog site as such is not in danger. As it turns out, however, this exploit is now being used to host malware on some Geeklog sites. So it seems we completely underestimated the impact of this issue.

Geeklog 1.6.0sr2 is now available for download and ships with a much more restrictive configuration for uploads through FCKeditor. There's also an archive to upgrade from 1.6.0sr1 and an updated version of the drop-in FCKeditor replacement for older Geeklog versions.

If you don't use FCKeditor (aka "Advanced Editor") on your site, the easiest and safest method is to simply remove the entire fckeditor directory (from your public_html directory). Otherwise, please install one of the above updates ASAP.

Geeklog 1.6.0sr1 and 1.5.2sr5

  • Thursday, July 30 2009 @ 02:00 pm EDT
  • Contributed by:
  • Views: 8,748

Geeklog 1.6.0sr1 and 1.5.2sr5 address the following security issues:

  1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend.
  2. The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site.

For Geeklog 1.6.0, we also fixed two bugs (an SQL error when the story submission queue was off and a call to a nonexistent function).

The following files are available:

Page navigation