Posted on: 08/27/09 04:11pm
By: Anonymous (Jeff)
A coworker of mine showed me this Geeklog vulnerability report today http://www.f-secure.com/vulnerabilities/SA200904402 it says to solve it restrict access to trusted users only via .htaccess. I don't know how to do that can you guys tell me what I should put in that file and where that file goes.
Re: Geeklog vulnerability bulletin
Posted on: 08/27/09 05:03pm
By: Dirk
Yeah, we know about this issue. Uploads still have to go through FCKeditor's filter, so you can't upload scripts and such. So it's more of a nuisance than a security issue. Still something we need to address, of course.
In the meantime, here are a few options you have:
- if you don't use FCKeditor, simply remove the entire "fckeditor" directory
- disable the upload within FCKeditor by opening public_html/fckeditor/editor/filemanager/connectors/php/config.php and setting
Text Formatted Code
$Config['Enabled'] = false;
- if you can do that on your server, set a quota on the upload directory
What you've been referring to is to password-protect the upload directory. Instructions can be found on the web - search for htaccess, htpasswd and such. Please note that such a password-protection would be independent of Geeklog's accounts, so you would need to enter an additional username / password when you upload something.
bye, Dirk
Re: Geeklog vulnerability bulletin
Posted on: 08/29/09 05:18pm
By: Anonymous (boaz)
I have 8 Geeklog sites with 2 different hosts, today one of them suspended all of my sites because they said I was hosting malware and hacking tools. This is what they said was on my site a.tgz, cracker.tgz, cv.zip, god.tgz, gw.zip, new.tgz, ssh1.tgz, ssh2.tgz. These were all in the FCKeditors file directory. Everyone one of my sites on both hosts had these files and some others.
I come here to see if I missed an announcement and find this post. You call it a nuisance, what a load of crap! You know about the security hole, don't say a word, nothing and then when someone asks you say it is a nuisance. You guys claim to be security minded, bull. I do all the right things, subscribe to the security RSS feed here so I can stay up to date, update my sites everytime you post a fix, but this time you don't do anything but leave all of us running Geeklog in a lurch when you admit you knew about it and did nothing.
Thanks for nothing, off to go find a real CMS that doesn't leave its uses out to dry.
Re: Geeklog vulnerability bulletin
Posted on: 08/29/09 06:46pm
By: Dirk
Right, hosting malware isn't something I had considered (there goes my career option of becoming an evil genius ...).
This is obviously more than a nuisance - looks like we underestimated that problem. Sorry about that.
It's not like we're ignoring the issue. It did turn out a bit tricky to address, though, if you still want to allow uploads of some form.
Here's a slightly improved version for those that control the influx of new users on their sites: In the connector's config.php, instead of outright disabling the connector, use this piece of code:
Text Formatted Code
$Config['Enabled'] = false;
if (($_CONF['advanced_editor'] == 1) && !COM_isAnonUser()) {
$Config['Enabled'] = true;
}
This will at least prevent anonymous uploads (but won't stop anyone from registering an account and using that to upload).
We'll keep on looking for a better solution (ASAP now, of course).
bye, Dirk
Re: Geeklog vulnerability bulletin
Posted on: 08/29/09 07:08pm
By: ::Ben
Hello,
I do not read japonese but there is a new security post on
geeklog.jp[*1] .
Also In the directory /fckeditor/editor/filemanager/connectors/php
There is a config.php with some settings that you can try.
Text Formatted Code
// After file is uploaded, sometimes it is required to change its permissions
// so that it was possible to access it at the later time.
// If possible, it is recommended to set more restrictive permissions, like 0755.
// Set to 0 to disable this feature.
// Note: not needed on Windows-based servers.
$Config['ChmodOnUpload'] = 0777 ;
// See comments above.
// Used when creating folders that does not exist.
$Config['ChmodOnFolderCreate'] = 0777 ;
::Ben
Re: Geeklog vulnerability bulletin
Posted on: 08/30/09 02:50am
By: Dirk
From what Ivy told me, the post on geeklog.jp is about sites that were hacked due to older FCKeditor issues, either
this one[*2] or
this one[*3] . We did release patches for those.
To the best of my knowledge, the new issue we're discussing here can not be used to hack a Geeklog site.
bye, Dirk
Re: Geeklog vulnerability bulletin
Posted on: 08/30/09 11:28am
By: Anonymous (Boaz)
I'm surprised you have not bothered to post a security bulletin even after you know people are being exploited. I have all my sites upgraded to Glfusion now so it doent matter to me anymore.