Welcome to Geeklog Monday, August 19 2019 @ 09:53 am EDT

Security

CAPTCHA v2.1.2 Released

  • Contributed by:
  • Views: 6,431
Security

CAPTCHA v2.1.2 has been released to address a security vulnerability I discovered in the code this morning. All CAPTCHA users are encouraged to upgrade as soon as possible. The upgrade process is very straight forward, simply copy over the new source files, then go into your Plugin Manager and select Update for the CAPTCHA plugin.

There is one other small tweak, if the session start fails, it will do so silently, no longer causing scripts to stop. This should resolve any issues with the emailgeeklogstories cron script.

Security Vulnerability in Media Gallery v1.4x

  • Contributed by:
  • Views: 6,562
Security A security vulnerability has been identified in Media Gallery affecting all of the v1.4 releases. This vulnerability could allow properly crafted URLs to load files onto your web server and potentially overwrite existing files. Media Gallery v1.4.8b has been released to address this vulnerability and should be upgraded immediately! My thanks to Max for reporting this issue this morning and providing the relevant site logs to validate the vulnerability.

If you do not want to upgrade to the latest version of Media Gallery, you should apply the following patch:

Edit mediagallery/maint/ftpmedia.php

Near the top, immediately before the following line:

require_once($_MG_CONF['path_html'] . 'lib-batch.php');

Add the following code:

// this file can't be used on its own
if (strpos ($_SERVER['PHP_SELF'], 'ftpmedia.php') !== false)
{
    die ('This file can not be used on its own.');
}

Save ftpmedia.php. This should resolve the issue.

For more information on other enhancements and fixes to Media Gallery v1.4.8b, please see www.gllabs.org.

Thanks!
Mark

Geeklog 1.4.0sr5 and 1.3.11sr7

  • Contributed by:
  • Views: 13,414
Security

JPCERT/CC informed us about a possible XSS in the comment handling that we're fixing with the following releases:

Upgrades should be straightforward as you'll only have to replace one file (lib-comment.php for Geeklog 1.4.0 and comment.php for Geeklog 1.3.11).