Security

An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).

Here's what we know:

• The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not.
• There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least.

A recent posting on the Bugtraq security mailing list should serve as a reminder to always remove the install script after a successful install or upgrade of Geeklog: MaXe points out an XSS, a path disclosure, and a remote file inclusion in the 1.5.x install script. The XSS is still present in the 1.6.0 install script and has been pointed out to us before by a person who called himself Nemesis.

We'll take care of this in the next 1.6.0 release (probably rc1). So again: Please follow the installation instructions and the built-in reminders to remove the install script and the other security tips that we provide before, during, and after the install.

Bookoo of the Nine Situations Group has posted yet another SQL injection exploit. This time, the problem is in usersettings.php and can again be used by an attacker to extract the password hash for any account. Geeklog 1.5.2sr4 fixes this issue and is available for download

• as a complete tarball, for fresh installs and upgrades from any earlier release
• as an update for 1.5.2sr3 and
• as a "combo" update, bundling all the changes for 1.5.2sr1 - 1.5.2sr4.