Geeklog 1.3.5sr2
- Tuesday, July 09 2002 @ 12:21 pm EDT
- Contributed by: dreamscape
- Views: 8,732
We were notified earlier this week about security problems affecting Geeklog 1.3.5[sr1] (and likely earlier versions as well).
For the impatient, We have released a full tarball branded, GeekLog-1.3.5sr2, as well as a patch. The patch only includes lib-common.php, profiles.php and search.php NOTE: if you use the patch to replace your files you must replace the line require_once('/path/to/geeklog/config.php'); with your proper path or your site will not function
If you've got time for the details, read on
In a nutshell the issues are:
- Cross-site scripting issues in areas of the site that allow html input. Basically someone could exploit a javascript event to do things like self.location.href='http://localhost/'. Solution We've implemented a new function COM_killJS that basically transforms every javascript event from the format o nXXXXXXX="" to inXXXXXX="". (space deliberately left between o and n, so on doesn't become in) With a minimal overhead we can quickly replace on with in, this will stop javascript from responding because there will be no valid events, and this won't affect browsers as they will simply ignore tags they are unaware of.
- The second is a CRLF Injection which essentially boils down to allow a new line in the mail subject and allowing additional mail headers to be added (something like BCC: your@email) and you'll get a copy of the users real email address. Solution we strip out new lines when a user can input text before an email is sent.
In addition to fixing these two issues we've also added some "support" tools and an enhanced install script to the admin/install/ directory. If you've already got geeklog installed this probably won't be of much use to you, but we have a couple routines to check file/directory permissions, read your config.php values, and print phpinfo(). All of these scripts are in admin/install/ so that when you shut down or move that directory, those move to.
You are strongly encouraged to upgrade all sql server installations you have for security. We have released a full tarball branded, GeekLog-1.3.5sr2, as well as a patch. The patch only includes lib-common.php, profiles.php and search.php NOTE: if you use the patch to replace your files you must replace the line require_once('/path/to/geeklog/config.php'); with your proper path or your site will not function
Looking ahead to GeekLog 1.3.6 you will see a lot of the outstanding bugs on sourceforge.net squashed. GeekLog 1.3.6 is still not ready yet so we thought it in your best interest if we pushed out an sr2 release immediately.
Finally we'd like to thank Ulf Harnhammar for finding these holes, submitting them to us and allowing us time to provide a fix.