Geeklog 1.5.2sr2
- Saturday, April 04 2009 @ 01:40 pm EDT
- Contributed by: Dirk
- Views: 20,570
Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.
You can download an upgrade archive for Geeklog 1.5.2sr1 or the complete 1.5.2sr2 tarball to upgrade from any previous version.
The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog 1.4.1, 1.5.0, and 1.5.1.
As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users: