Security

Geeklog 1.5.2sr3 addresses the recently published exploit for an SQL injection in the webservices. It is available for download

• as a complete tarball, for fresh installs and upgrades from any earlier release
• as an update for 1.5.2sr2 and
• as a "combo" update, bundling all the changes for 1.5.2sr1 - 1.5.2sr3.

After installing this update, you can enable the webservices again if you need them (or leave them disabled if you don't - they are not an essential feature, unless you happen to be using an AtomPub client to post articles).

Well, it's getting a bit embarrassing, but here goes:

Bookoo of the Nine Situations Group posted another SQL injection exploit, this time targetting the webservices API in Geeklog. The problem exists in all 1.5.x releases to date. Fortunately, it can be avoided by disabling the webservices like so: Go to

Configuration > Geeklog > Miscellaneous > Webservices

(that's the last set of options on the "Miscellaneous" page) and set "Disable Webservices?" to "True". We'll release an fix ASAP, but this should secure your site for now.

Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.

You can download an upgrade archive for Geeklog 1.5.2sr1 or the complete 1.5.2sr2 tarball to upgrade from any previous version.

The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog 1.4.1, 1.5.0, and 1.5.1.

As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users: