Security

Fernando Muñoz reported a possible XSS in the query form on most admin panels that we are fixing in this release.

You can download an upgrade archive for Geeklog 1.5.2 or the complete 1.5.2sr1 tarball to upgrade from any previous version.

The upgrade tarball contains only one file and should also work as a quick fix for Geeklog 1.5.0 and 1.5.1. We do recommend upgrading to 1.5.2sr1 from those versions, though, due to various other bugs that have since been fixed.

Fernando is one of the students applying for participation in the Google Summer of Code with Geeklog, btw. Which just goes to show that it's always good to have a fresh pair of eyes looking over your code. Thanks, Fernando!

An issue that can allow someone to edit another users recently posted topic has been identified by Matthew Demicco. This is possible during the edit timeframe which by default is 1 min and requires someone to modify the URL.

This new release addresses that issue and all sites are recommended to upgrade to this latest release which is now available in the downloads area.

The upgrade steps are to replace the changed files and run the plugin upgrade.

• public_html/createtopic.php
• config.php
• functions.inc

Geeklog 1.5.1 addresses the following security issues:

• The recently reported file upload issue in FCKeditor. A fix is now included. When upgrading from earlier versions, we strongly recommend that you remove your old copy of the "fckeditor" directory and replace it with the version that ships with Geeklog 1.5.1 to ensure that old files are removed and replaced properly.
• Mark Evans reported that our protection against direct execution of include files did not work properly on non-case sensitive file systems (e.g. on Windows). This only affects sites that weren't installed correctly in the first place (the files in question should not be reachable from the web). This includes sites installed through Fantastico, though.

The following issues are bugs in Geeklog 1.5.0 regarding the access control for stories: