Security

Lukasz Pilorz has found 3 security issues in kses, the HTML filter we're using in Geeklog. We have examined these issues and to the best of our knowledge, 2 of the 3 issues are not exploitable in the Geeklog context, due to additional filtering done by Geeklog. The third issue is exploitable, though, but won't affect standard installs.

The exploitable issue affects the HTML style attribute. In a standard install of Geeklog, the style attribute is not allowed, i.e. filtered out when someone attempts to use it. This has always been our recommendation, as it could be used for defacements. Lukasz has demonstrated that it could also be used for XSS. Since kses is no longer maintained, there is no patch for this issue. We therefore want to repeat our recommendation: Do not allow the style attribute for normal users and be very careful when allowing it for Admin users.

For the other two issues, Lukasz has provided a patch for kses that we've rolled into Geeklog 1.5.0, just in case. For earlier releases, you can download a drop-in replacement for kses. Again, to the best of our knowledge, the issues (which include arbitrary code execution) do not seem to be exploitable in the Geeklog context.

Since kses is no longer maintained, we will be looking into replacing it with some other HTML filter in future Geeklog releases.

MustLive pointed out a possible XSS in the form to email an article to a friend that we're fixing with this release.

Please note that this problem only exists in Geeklog 1.4.0 - neither Geeklog 1.4.1 nor any older versions (1.3.x series) have that problem.

To upgrade from Geeklog 1.4.0sr5-1, download the upgrade archive. To upgrade from any other 1.4.0 version, please use the combo update, which also includes all the previous security updates.

Upgrades should be straightforward, as you only have to replace one file. Since security issues are often exploited soon after they become public, you should install this upgrade as soon as possible.

Since we had a few reports about hacked Geeklog sites again, all of which turned out to be due to running on old and insecure versions, I'd like to remind you to please check for updates regularly and if there is a security update, that you install it ASAP - in your own interest.

At the time of this writing, the following Geeklog versions are considered "safe" in that there are no known security issues with them:

• Geeklog 1.4.1 (Download: complete tarball)
• Geeklog 1.4.0sr5-1 (Download: "Combo" update)
• Geeklog 1.3.11sr7-1 (Download: "Combo" update)

The 1.3.11 versions are not officially supported any more, but sites running on the latest incarnation (see above) should be fine.

Security issues may also lurk in plugins and other add-ons that you have installed, so you may want to check those for updates as well.