Geeklog 1.3.8-1sr3 and 1.3.7sr4 security updates
- Saturday, December 06 2003 @ 02:00 pm EST
- Contributed by: Dirk
- Views: 9,375
These updates fix a few minor security-related issues:
- As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
- Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users.
On 1.3.8-1sr3, there is now also a speed limit when sending emails to users. - There was a way to post comments anonymously even when posting for anonymous users had been disabled.
- It was possible to post comments under someone else's username.
As usual, there's an upgrade and complete tarball for 1.3.8-1sr3. The 1.3.7sr4 upgrade is only available as an upgrade tarball and requires 1.3.7sr3.
* sigh * Comment posting was so secure now that it didn't let you post any comments at all. The problem has been fixed and the tarballs have been updated. Please replace comment.php (if you've downloaded the full tarball, you only need the upgrade tarball now). Sorry about that.