Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

Downloads last 2 weeks

No new files

Welcome to Geeklog Friday, July 29 2016 @ 03:45 am EDT

Possible CSS vulnerability in search.php

  • View Printable Version
Security
  • Contributed by:
  • Views:
    3,750
I think search.php of geeklog-1.3.x has
possible cross site scripting vulnerability. For example, let put this string as search keyword.

<script>alert(self.location)</script>

This gives alert window when JavaScript is enabled.
Because any HTML tags are transparently displayed in a \"No matchs\" screen, and search.php accept GET method, this can be easily exploitable with manner of ordinary cross site scripting attacks.
<BR>
This simple patch for search.php can prevent this type of attack.

--- search.php Fri Apr 5 01:21:15 2002
+++ search.php.org Mon Apr 8 03:38:07 2002
@@ -264,7 +264,7 @@
$retval .= $searchresults->parse(\'output\',\'searchresults\');
} else {
$retval .= COM_startBlock($LANG09[13])
- . $LANG09[14].\' <b>\'.htmlentities($query).\'</b> \'.$LANG09[15]
+ . $LANG09[14].\' <b>\'.$query.\'</b> \'.$LANG09[15]
. COM_endBlock();
}

New Translations!

  • View Printable Version
Announcements
  • Contributed by:
  • Views:
    3,697
I am happy to announce the addition of two new translations: 1) Russian 2) Portuguese (Brazil) Slowly but surely, Geeklog is starting to mature...the submission of translations is proof of that and we are now up to 8 supported languages! I want to take a minute to thank all of you that have bared through some hard times, bugs, poor code, etc to get us here. A lot of work still needs to be done but we have a great community and good things will continue to follow!

Using index.htm

  • View Printable Version
Security
  • Contributed by:
  • Views:
    5,972
Hi folks, this is a tip. In every directory that doesn\'t contain an index file, place a blank text file and name it index.htm. I do this on all my themes and geeklog directories and I highly suggest you do it as well. This will prevent snooping, even if it\'s only an images directory. Also, concerning the recent discovery of how many folks left their install.php alone, if you renamed your install file to muahahayoullneverguessthenameofmyinstall.php, it\'s not gonna do any good if someone visits http://yoursite.com/admin/install/. If you\'re gonna rename it, try a .txt extension or something. Enjoy. :)

Who's Online

Guest Users: 7

Need Help?

If you need help in setting up or using Geeklog, please see the documentation, the FAQ, the Wiki, try our search page or browse through the Support Forum. Chances are someone else already had the same problem.

More resources are listed on the support page.

If you still can't find an answer, feel free to post in the forum or ask on Gitter in the Geeklog room.

International Support:
[geeklog.info] [GeeklogPolska] [Geeklog Japanese] [Geeklog France] [Geeklog Spain]