The third beta version of Geeklog 1.6.0 is now available for download.

This version fixes a few more issues with the new search, addresses the XSS reported for the install script, and also includes a more prominent reminder to remove the install script after installation or upgrade.

The main reason for this third beta (instead of it being rc1), however, is the last-minute addition of a new minor security feature to prevent "clickjacking". This feature requires support from the browser, though, and is currently only implemented in IE 8 and Safari 4. Other browsers will surely add support shortly.

For the Geeklog installation on fsim-ev.de (a social website for the students of the university of applied sciences Regensburg) i've developed a private message plugin and a plugin where user can create groups with group internal dokuwiki-namespace and group forum.

If someone is interested in this download it from my mercurial repository http://fsim-ev.de/hg/pmessage/ and http://fsim-ev.de/hg/groupable/

A recent posting on the Bugtraq security mailing list should serve as a reminder to always remove the install script after a successful install or upgrade of Geeklog: MaXe points out an XSS, a path disclosure, and a remote file inclusion in the 1.5.x install script. The XSS is still present in the 1.6.0 install script and has been pointed out to us before by a person who called himself Nemesis.

We'll take care of this in the next 1.6.0 release (probably rc1). So again: Please follow the installation instructions and the built-in reminders to remove the install script and the other security tips that we provide before, during, and after the install.