Security Fix!
- Thursday, January 03 2002 @ 01:06 pm EST
- Contributed by: Tony
- Views: 6,006
There is a small but nasty security bug with fresh installations of Geeklog 1.3. This only pertains to fresh installations of Geeklog 1.3. Turns out with fresh installations, the data includes one orphaned group_assignments record with a user ID of 13. Geeklog\'s user table with on a fresh installation only has 12 users. So the first user that creates an account has access to the GroupAdmin Group and, subsequently, the UserAdmin Group.
If you have already installed a fresh version of Geeklog 1.3 then you need to edit the user with a uid of 13. To get that, do a \"SELECT username FROM users WHERE uid = 13\" in your favorite MySQL editor. Then in the admin/users.php page edit that user and uncheck both the GroupAdmin Group AND the UserAdmin Group and be sure to leave the Normal User and Logged-in User boxes checked.
Thanks to whoever posted that nasty on our SourceForge site.
If you have already installed a fresh version of Geeklog 1.3 then you need to edit the user with a uid of 13. To get that, do a \"SELECT username FROM users WHERE uid = 13\" in your favorite MySQL editor. Then in the admin/users.php page edit that user and uncheck both the GroupAdmin Group AND the UserAdmin Group and be sure to leave the Normal User and Logged-in User boxes checked.
Thanks to whoever posted that nasty on our SourceForge site.