Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 11:16 pm EST

News

Geeklog 1.5.2sr4

  • Saturday, April 18 2009 @ 07:15 am EDT
  • Contributed by:
  • Views: 10,109
Security

Bookoo of the Nine Situations Group has posted yet another SQL injection exploit. This time, the problem is in usersettings.php and can again be used by an attacker to extract the password hash for any account. Geeklog 1.5.2sr4 fixes this issue and is available for download

Geeklog 1.5.2sr3

  • Monday, April 13 2009 @ 11:55 am EDT
  • Contributed by:
  • Views: 9,189
Security

Geeklog 1.5.2sr3 addresses the recently published exploit for an SQL injection in the webservices. It is available for download

After installing this update, you can enable the webservices again if you need them (or leave them disabled if you don't - they are not an essential feature, unless you happen to be using an AtomPub client to post articles).

Webservices exploit

  • Thursday, April 09 2009 @ 03:50 pm EDT
  • Contributed by:
  • Views: 13,953
Security

Well, it's getting a bit embarrassing, but here goes:

Bookoo of the Nine Situations Group posted another SQL injection exploit, this time targetting the webservices API in Geeklog. The problem exists in all 1.5.x releases to date. Fortunately, it can be avoided by disabling the webservices like so: Go to

Configuration > Geeklog > Miscellaneous > Webservices

(that's the last set of options on the "Miscellaneous" page) and set "Disable Webservices?" to "True". We'll release an fix ASAP, but this should secure your site for now.

Page navigation