Welcome to Geeklog, Anonymous Saturday, November 16 2024 @ 01:46 am EST

Geeklog 1.4.0sr5 and 1.3.11sr7

Sunday, July 16 2006 @ 12:00 pm EDT
Contributed by: Dirk
Views: 24,791

JPCERT/CC informed us about a possible XSS in the comment handling that we're fixing with the following releases:

Geeklog 1.4.0sr5, available as a complete tarball and as an upgrade from 1.4.0sr4.
Geeklog 1.3.11sr7, available as an upgrade from 1.3.11sr6 and as a combo update from any other 1.3.11 release.

Upgrades should be straightforward as you'll only have to replace one file (lib-comment.php for Geeklog 1.4.0 and comment.php for Geeklog 1.3.11).

Comments

Geeklog 1.4.0sr5 and 1.3.11sr7 | 10 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: TrappedOnEarth on Monday, July 17 2006 @ 02:16 am EDT

I just noticed something odd. After replacing my lib-comment.php file (updating from 1.4.0sr4 to 1.4.0sr5), when I add a comment on my site now, the preview is not working correctly. It is only showing the first few lines and is ignoring the html formating.

I tried it using Safari and Firefox with the same results. Part my reason for posting this comment here now is to see if it happens here as well or not. I just tested it here as well by clicking the preview and it only displays the first few lines and ignores the html formatting.

It seems to be limited to only previewing a comment, because when I hit submit, the complete comment does post along with the html formating.

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: Anonymous (Anonymous User) on Monday, July 17 2006 @ 03:39 am EDT

Confirmed...I had to revert back to the other version

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: Dirk on Monday, July 17 2006 @ 04:04 am EDT

Whoops. It's a bit overzealous now with the filtering. Looks like we have to release a fix for the fix ... Sorry about that.

bye, Dirk

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: LWC on Monday, July 17 2006 @ 05:10 am EDT

Will you release it under a new name?

I wish you'd apply my new patch (supposedly it's new but it was in the forums since 2005) for "a public dummy site mail and a protected real site mail" as it's kind of annoying having to keep updating it manually inside each new version of system/lib-common.php...).

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: griffman on Wednesday, July 19 2006 @ 05:32 pm EDT

Any update on the fix for the fix? It seems a choice of two bad options -- run with the hole plugged but comment preview borked, or have comment preview with a security hole...

-rob.

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: Dirk on Thursday, July 20 2006 @ 02:01 am EDT

Basically, it's this. I'm seeing extra backslashes on one of my sites, though, and I have had virtually no time to even attempt to roll out a new release, sorry.

bye, Dirk

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: kegazow on Tuesday, July 18 2006 @ 12:06 am EDT

One thing that I noticed, as a user new to php and new to Geeklog, was the security notice on the site reviewing the site on a cursory level to make sure things were OK. I found out the hard way, however, that installing Geeklog with cPanel/Fantastico is just plain bad. Rather than relive all of the details, you can check it out here.

The short of the long is this: how hard would it be to amp up the security check in subsequent releases to check for the path to some of the core components (i.e. config.php, plugins, logs, etc), and if they are the same as the root (i.e. flat installed into the root of the site) then give the user an indication that this is a bad thing? I intend to work at it a bit, but given that I am quite the n00b when it comes to PHP, my version may release at some point when computers are all embedded.

Ciao,
Kurt

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: Dirk on Wednesday, July 19 2006 @ 03:16 pm EDT

Yeah, more thorough checks for a secure install are certainly on my to-do list. I was initially thinking about adding them to the install script, but it seems they should really be embedded into Geeklog itself for all those auto installers.

The funny thing is that none of the authors of those auto installs ever contacted us. They just appeared out of nowhere. Initially, I thought they were a good idea but now I'm not so sure any more ...

If anyone can provide us with contact addresses, we'll try and have a word with them.

bye, Dirk

Merging PHPBB and Geeklog

Authored by: Macaco on Wednesday, July 19 2006 @ 10:59 am EDT

hello... how can I merge phpbb and geeklog using the same user accounts on both but without having to register on both separately?

Geeklog 1.4.0sr5 and 1.3.11sr7

Authored by: barrywong on Friday, July 21 2006 @ 07:10 am EDT

I am running v1.4.0sr2. I decided to wait it out in May when sr3 was released with the statement... "Geeklog 1.4.1 available by the end of June." I admit it. I was lazy. Looks like I am 3 versions away now.

Any news of when 1.4.1 will be release? 8^)

Thank you.

Warning: Javascript required to enable functionality

Geeklog 1.4.0sr5 and 1.3.11sr7

Search

Resources

About

Getting started

Support

Development

Topics

User Functions

What's New

Articles last 4 weeks

Comments last 4 weeks

Pages last 4 weeks

Links last 4 weeks

Downloads last 4 weeks