Welcome to Geeklog, Anonymous Saturday, December 28 2024 @ 06:15 am EST

Geeklog Forums

Geeklog vulnerability bulletin


Jeff

Anonymous
A coworker of mine showed me this Geeklog vulnerability report today http://www.f-secure.com/vulnerabilities/SA200904402 it says to solve it restrict access to trusted users only via .htaccess. I don't know how to do that can you guys tell me what I should put in that file and where that file goes.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Yeah, we know about this issue. Uploads still have to go through FCKeditor's filter, so you can't upload scripts and such. So it's more of a nuisance than a security issue. Still something we need to address, of course.

In the meantime, here are a few options you have:

- if you don't use FCKeditor, simply remove the entire "fckeditor" directory

- disable the upload within FCKeditor by opening public_html/fckeditor/editor/filemanager/connectors/php/config.php and setting
Text Formatted Code
$Config['Enabled'] = false;


- if you can do that on your server, set a quota on the upload directory

What you've been referring to is to password-protect the upload directory. Instructions can be found on the web - search for htaccess, htpasswd and such. Please note that such a password-protection would be independent of Geeklog's accounts, so you would need to enter an additional username / password when you upload something.

bye, Dirk
 Quote

boaz

Anonymous
I have 8 Geeklog sites with 2 different hosts, today one of them suspended all of my sites because they said I was hosting malware and hacking tools. This is what they said was on my site a.tgz, cracker.tgz, cv.zip, god.tgz, gw.zip, new.tgz, ssh1.tgz, ssh2.tgz. These were all in the FCKeditors file directory. Everyone one of my sites on both hosts had these files and some others.

I come here to see if I missed an announcement and find this post. You call it a nuisance, what a load of crap! You know about the security hole, don't say a word, nothing and then when someone asks you say it is a nuisance. You guys claim to be security minded, bull. I do all the right things, subscribe to the security RSS feed here so I can stay up to date, update my sites everytime you post a fix, but this time you don't do anything but leave all of us running Geeklog in a lurch when you admit you knew about it and did nothing.

Thanks for nothing, off to go find a real CMS that doesn't leave its uses out to dry.



 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
embarrassed
Right, hosting malware isn't something I had considered (there goes my career option of becoming an evil genius ...).

This is obviously more than a nuisance - looks like we underestimated that problem. Sorry about that.

It's not like we're ignoring the issue. It did turn out a bit tricky to address, though, if you still want to allow uploads of some form.

Here's a slightly improved version for those that control the influx of new users on their sites: In the connector's config.php, instead of outright disabling the connector, use this piece of code:
Text Formatted Code
$Config['Enabled'] = false;
if (($_CONF['advanced_editor'] == 1) && !COM_isAnonUser()) {
    $Config['Enabled'] = true;
}

This will at least prevent anonymous uploads (but won't stop anyone from registering an account and using that to upload).

We'll keep on looking for a better solution (ASAP now, of course).

bye, Dirk
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Hello,

I do not read japonese but there is a new security post on geeklog.jp.

Also In the directory /fckeditor/editor/filemanager/connectors/php

There is a config.php with some settings that you can try.


Text Formatted Code
// After file is uploaded, sometimes it is required to change its permissions
// so that it was possible to access it at the later time.
// If possible, it is recommended to set more restrictive permissions, like 0755.
// Set to 0 to disable this feature.
// Note: not needed on Windows-based servers.
$Config['ChmodOnUpload'] = 0777 ;

// See comments above.
// Used when creating folders that does not exist.
$Config['ChmodOnFolderCreate'] = 0777 ;


If possible, it is recommended to set more restrictive permissions, like 0755

::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
From what Ivy told me, the post on geeklog.jp is about sites that were hacked due to older FCKeditor issues, either this one or this one. We did release patches for those.

To the best of my knowledge, the new issue we're discussing here can not be used to hack a Geeklog site.

bye, Dirk
 Quote

Boaz

Anonymous
I'm surprised you have not bothered to post a security bulletin even after you know people are being exploited. I have all my sites upgraded to Glfusion now so it doent matter to me anymore.
 Quote

All times are EST. The time is now 06:15 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content