Geeklog 1.4.0sr3 and 1.3.11sr6
- Sunday, May 28 2006 @ 11:15 am EDT
- Contributed by: Dirk
- Views: 16,800
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes, e.g. the Professional theme
Additionally, an internal code review has revealed another possible SQL injection in the story submission.
We are therefore releasing Geeklog 1.4.0sr3 (complete tarball, upgrade archive) and Geeklog 1.3.11sr6 (upgrade archive, combo update) to address these issues and would suggest that you install these as soon as possible.
Read on for more information ...
getimage.php
If you haven't changed Geeklog's images directory from its default location within the web root, then you actually don't need the getimage.php script and can simply remove it. It is only needed to serve images (for articles and user photos) from a directory outside of the web root.
functions.php
The functions.php file is part of every Geeklog theme and can be used to store theme-specific PHP code. It's often used to give left and right blocks a different appearance. Please check if your theme's functions.php contains any PHP code (it may be empty, in which case you can leave it as is). If it does contain PHP code, please add the following at the beginning of that file (right after the opening PHP tag):
if (strpos ($_SERVER['PHP_SELF'], 'functions.php') !== false) {
die ('This file can not be used on its own!');
}
Older Geeklog versions
As usual, we only offer support for the current and previous versions of Geeklog (1.4.0 and 1.3.11, respectively). If you're still running an older version, now may be a good time to upgrade.
In the meantime, the above two items (getimage.php and functions.php) also apply to any older Geeklog release. If you're on Geeklog 1.3.9 or 1.3.10, then the new auth.inc.php for Geeklog 1.3.11 should also work with those versions (no guarantees for older releases). Still, it may be better to upgrade now.
A note on FCKeditor
Since we're talking about security issues: A security issue has recently been found in FCKeditor, which we ship with Geeklog 1.4.0. However, the issue affects FCKeditor's file manager which we don't use (we're shipping the MCPUK version of the file manager instead), so Geeklog 1.4.0 installs are not affected, as far as we know. If you want to be on the save side, you can still remove the FileUpload.php script from /path/to/geeklog/public_html/fckeditor/editor/ filemanager/browser/mcpuk/connectors/php/Commands.
Those of you who upgraded FCKeditor to version 2.2 (Geeklog 1.4.0 is shipping with version 2.1), however, should probably upgrade to FCKeditor 2.3.
Geeklog 1.4.1
For Geeklog 1.4.1, we are concentrating on bugfixes and further security enhancements. In fact, the issue regarding auth.inc.php had already been spotted and fixed before the KAPDA report arrived, so it looks like we're on the right track. We expect to have a release candidate of Geeklog 1.4.1 available by the end of June.