While tracking the security issues that have plagued other web applications, we have become aware that Geeklog is vulnerable from so-called Cross-Site Request Forgery (CSRF) attacks. In a nutshell, the idea is for an attacker to perform operations on a site with someone else's privileges. There are multiple possible attack vectors, including tricking you to click on a link or embedding what looks like an image but what is really a script.

Unfortunately, fixing these issues required a lot of changes in Geeklog's code and so we can't provide a simple security fix for earlier releases. The necessary infrastructure has been implemented in Geeklog 1.5.0, which we now consider safe from these attacks. Please note that many 3rd-party plugins are also affected and will also have to be updated.

For older Geeklog versions, here are a few recommendations to minimize the risks:

• Log out of your Geeklog site once you're done instead of letting the session expire. You may also want to lower the length of time your session is valid (see the "Remember Me For" option in "My Account").
• Don't visit other websites, especially unknown sites, while you're logged in to your Geeklog site. Alternatively, use two separate browsers, i.e. two different programs. Using separate browser windows or tabs will not help.
• Consider using an account with a minimal amount of privileges and use a separate account with more privileges only when necessary. For example, to publish stories you don't really need to be a member of the Root group, thus minimizing the potential damage that can be done in the event of a successful CSRF attack on that account.

Lukasz Pilorz has found 3 security issues in kses, the HTML filter we're using in Geeklog. We have examined these issues and to the best of our knowledge, 2 of the 3 issues are not exploitable in the Geeklog context, due to additional filtering done by Geeklog. The third issue is exploitable, though, but won't affect standard installs.

The exploitable issue affects the HTML style attribute. In a standard install of Geeklog, the style attribute is not allowed, i.e. filtered out when someone attempts to use it. This has always been our recommendation, as it could be used for defacements. Lukasz has demonstrated that it could also be used for XSS. Since kses is no longer maintained, there is no patch for this issue. We therefore want to repeat our recommendation: Do not allow the style attribute for normal users and be very careful when allowing it for Admin users.

For the other two issues, Lukasz has provided a patch for kses that we've rolled into Geeklog 1.5.0, just in case. For earlier releases, you can download a drop-in replacement for kses. Again, to the best of our knowledge, the issues (which include arbitrary code execution) do not seem to be exploitable in the Geeklog context.

Since kses is no longer maintained, we will be looking into replacing it with some other HTML filter in future Geeklog releases.

There will be a short (we hope) downtime for maintenance on both Monday 16th and Tuesday 17th at 11am EDT (15:00 UTC). This will affect both this site as well as the project site (including the bugtracker and CVS).

The wiki and the demo site will not be affected from these downtimes, but the demo site will have a separate outage on Wednesday 18th, from 1am to 6am EDT.