A coworker of mine showed me this Geeklog vulnerability report today http://www.f-secure.com/vulnerabilities/SA200904402 it says to solve it restrict access to trusted users only via .htaccess. I don't know how to do that can you guys tell me what I should put in that file and where that file goes.

Yeah, we know about this issue. Uploads still have to go through FCKeditor's filter, so you can't upload scripts and such. So it's more of a nuisance than a security issue. Still something we need to address, of course.

In the meantime, here are a few options you have:

- if you don't use FCKeditor, simply remove the entire "fckeditor" directory

- disable the upload within FCKeditor by opening public_html/fckeditor/editor/filemanager/connectors/php/config.php and setting

- if you can do that on your server, set a quota on the upload directory

What you've been referring to is to password-protect the upload directory. Instructions can be found on the web - search for htaccess, htpasswd and such. Please note that such a password-protection would be independent of Geeklog's accounts, so you would need to enter an additional username / password when you upload something.

bye, Dirk

I have 8 Geeklog sites with 2 different hosts, today one of them suspended all of my sites because they said I was hosting malware and hacking tools. This is what they said was on my site a.tgz, cracker.tgz, cv.zip, god.tgz, gw.zip, new.tgz, ssh1.tgz, ssh2.tgz. These were all in the FCKeditors file directory. Everyone one of my sites on both hosts had these files and some others.

I come here to see if I missed an announcement and find this post. You call it a nuisance, what a load of crap! You know about the security hole, don't say a word, nothing and then when someone asks you say it is a nuisance. You guys claim to be security minded, bull. I do all the right things, subscribe to the security RSS feed here so I can stay up to date, update my sites everytime you post a fix, but this time you don't do anything but leave all of us running Geeklog in a lurch when you admit you knew about it and did nothing.

Thanks for nothing, off to go find a real CMS that doesn't leave its uses out to dry.

Right, hosting malware isn't something I had considered (there goes my career option of becoming an evil genius ...).

This is obviously more than a nuisance - looks like we underestimated that problem. Sorry about that.

It's not like we're ignoring the issue. It did turn out a bit tricky to address, though, if you still want to allow uploads of some form.

Here's a slightly improved version for those that control the influx of new users on their sites: In the connector's config.php, instead of outright disabling the connector, use this piece of code:
This will at least prevent anonymous uploads (but won't stop anyone from registering an account and using that to upload).

We'll keep on looking for a better solution (ASAP now, of course).

bye, Dirk

Hello,

I do not read japonese but there is a new security post on geeklog.jp.

Also In the directory /fckeditor/editor/filemanager/connectors/php

There is a config.php with some settings that you can try.




If possible, it is recommended to set more restrictive permissions, like 0755

::Ben

---

I'm available to customise your themes or plugins for your Geeklog CMS

From what Ivy told me, the post on geeklog.jp is about sites that were hacked due to older FCKeditor issues, either this one or this one. We did release patches for those.

To the best of my knowledge, the new issue we're discussing here can not be used to hack a Geeklog site.

bye, Dirk

I'm surprised you have not bothered to post a security bulletin even after you know people are being exploited. I have all my sites upgraded to Glfusion now so it doent matter to me anymore.