Security

A user by the name of t0pP8uZz has demonstrated that the file upload capabilities of FCKeditor, as shipped with Geeklog, can be used to directly upload various sorts of files to a website running Geeklog. The file types are still restricted by FCKeditor's whitelist of allowed types, so it's not possible to upload PHP scripts or the like. Still, this is not something that should be possible as it has the potential for malicious use.

The issue affects Geeklog 1.4.1 and 1.5.0 and possibly other versions when FCKeditor was updated manually.

We will be addressing this problem in the upcoming 1.5.1 release of Geeklog. In the meantime, here's a list of things you can do now:

A possible Cross-Site security vulnerability has been identified by NetAgent Co., Ltd. and JPCERT/CC Lt - http://jvn.jp/

The issue is with the forum search not correctly filtering out javascript. This new release addresses that issue and all sites are recommended to upgrade to this latest release which is now available in the downloads area.

The upgrade steps are to replace the changed files and run the plugin upgrade.

• public_html/index.php
• config.php
• functions.inc

While tracking the security issues that have plagued other web applications, we have become aware that Geeklog is vulnerable from so-called Cross-Site Request Forgery (CSRF) attacks. In a nutshell, the idea is for an attacker to perform operations on a site with someone else's privileges. There are multiple possible attack vectors, including tricking you to click on a link or embedding what looks like an image but what is really a script.

Unfortunately, fixing these issues required a lot of changes in Geeklog's code and so we can't provide a simple security fix for earlier releases. The necessary infrastructure has been implemented in Geeklog 1.5.0, which we now consider safe from these attacks. Please note that many 3rd-party plugins are also affected and will also have to be updated.

For older Geeklog versions, here are a few recommendations to minimize the risks:

• Log out of your Geeklog site once you're done instead of letting the session expire. You may also want to lower the length of time your session is valid (see the "Remember Me For" option in "My Account").
• Don't visit other websites, especially unknown sites, while you're logged in to your Geeklog site. Alternatively, use two separate browsers, i.e. two different programs. Using separate browser windows or tabs will not help.
• Consider using an account with a minimal amount of privileges and use a separate account with more privileges only when necessary. For example, to publish stories you don't really need to be a member of the Root group, thus minimizing the potential damage that can be done in the event of a successful CSRF attack on that account.