Security Flaw in Geeklog/Gallery Plugin
- Tuesday, December 09 2003 @ 10:48 pm EST
- Contributed by: Tony
- Views: 17,880
Those of you Geeklog users who use the Geeklog/Gallery plugin are being advised of a security issue that arises as a result of PHP's register_globals being on. As we explain here we do require register_globals to be on but Geeklog manages this securely. However, the Geeklog/Gallery plugin does not. To be 100% clear, this advisory does not effect Geeklog sites which do not use the Gallery plugin.
be sure to replace the entire string with
Hopefully this is clear to everyone. In the meantime, we are contacting the maintainer of the Geeklog/Gallery plugin to make the necessary fix.
For those of you using the Geeklog Gallery plugin, you should comment all references to $GEEKLOG_DIR in the plugin. Instances of this can be found in: /path/to/geeklog/gallery_dir/init.php
/path/to/geeklog/gallery_dir/classes/geeklog/UserDB.php
/path/to/geeklog/gallery_dir/classes/geeklog/User.php
There are four lines total you will need to address. The first occurance in init.php where $GEEKLOG_DIR gets set which is simply fixed by commenting it out. As for theoccurances of
require_once($GEEKLOG_DIR . 'lib-common.php');
be sure to replace the entire string with
require_once '/path/to/geeklog/public_html/lib-common.php';
Hopefully this is clear to everyone. In the meantime, we are contacting the maintainer of the Geeklog/Gallery plugin to make the necessary fix.