Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 04:45 am EST

News

Geeklog 1.5.1 Security Fixes

  • Monday, September 22 2008 @ 03:09 pm EDT
  • Contributed by:
  • Views: 7,898
Security

Geeklog 1.5.1 addresses the following security issues:

  • The recently reported file upload issue in FCKeditor. A fix is now included. When upgrading from earlier versions, we strongly recommend that you remove your old copy of the "fckeditor" directory and replace it with the version that ships with Geeklog 1.5.1 to ensure that old files are removed and replaced properly.
  • Mark Evans reported that our protection against direct execution of include files did not work properly on non-case sensitive file systems (e.g. on Windows). This only affects sites that weren't installed correctly in the first place (the files in question should not be reachable from the web). This includes sites installed through Fantastico, though.

The following issues are bugs in Geeklog 1.5.0 regarding the access control for stories:

Geeklog 1.5.1rc1

  • Sunday, September 07 2008 @ 03:15 pm EDT
  • Contributed by:
  • Views: 8,731
Announcements

Geeklog 1.5.1 is mostly a bugfix update for Geeklog 1.5.0. The first release candidate is now available for download.

As you can see from the list of changes, we've also thrown in a few minor improvements. Overall, however, the focus for this release is on bugfixes before we're moving on to integrate the new features developed during this year's Summer of Code.

File uploads through FCKeditor

  • Tuesday, September 02 2008 @ 03:00 pm EDT
  • Contributed by:
  • Views: 45,462
Security

A user by the name of t0pP8uZz has demonstrated that the file upload capabilities of FCKeditor, as shipped with Geeklog, can be used to directly upload various sorts of files to a website running Geeklog. The file types are still restricted by FCKeditor's whitelist of allowed types, so it's not possible to upload PHP scripts or the like. Still, this is not something that should be possible as it has the potential for malicious use.

The issue affects Geeklog 1.4.1 and 1.5.0 and possibly other versions when FCKeditor was updated manually.

We will be addressing this problem in the upcoming 1.5.1 release of Geeklog. In the meantime, here's a list of things you can do now:

Page navigation