Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 08:21 am EST

News

Geeklog 1.5.0

  • Sunday, June 15 2008 @ 10:00 am EDT
  • Contributed by:
  • Views: 19,707
Announcements

After almost 18 months in the making, Geeklog 1.5.0 is now officially out and available for download.

To recap: This version incorporates the results of the 2007 Google Summer of Code, namely:

  • New user-friendly install script by Matt West
  • New Configuration GUI (replacing config.php) by Aaron Blankstein
  • New Webservices API based on the Atom Publishing Protocol by Ramnath R. Iyer

A big round of applause please for Aaron, Matt, and Ramnath for adding these great new features to Geeklog. And a big thanks to Google for running the Summer of Code program and making all this possible!

Geeklog 1.5.0 also brings support for OpenID and LDAP, subcategories in the Links plugin, support for XHTML, and more.

We also owe you information about some security issues in Geeklog that we haven't disclosed yet: All Geeklog versions prior to 1.5.0 are vulnerable to cross-site request forgery attacks. There are also some security issues in kses, the HTML filter we're using in Geeklog.

Geeklog vulnerable to CSRF

  • Sunday, June 15 2008 @ 09:59 am EDT
  • Contributed by:
  • Views: 19,471
Security

While tracking the security issues that have plagued other web applications, we have become aware that Geeklog is vulnerable from so-called Cross-Site Request Forgery (CSRF) attacks. In a nutshell, the idea is for an attacker to perform operations on a site with someone else's privileges. There are multiple possible attack vectors, including tricking you to click on a link or embedding what looks like an image but what is really a script.

Unfortunately, fixing these issues required a lot of changes in Geeklog's code and so we can't provide a simple security fix for earlier releases. The necessary infrastructure has been implemented in Geeklog 1.5.0, which we now consider safe from these attacks. Please note that many 3rd-party plugins are also affected and will also have to be updated.

For older Geeklog versions, here are a few recommendations to minimize the risks:

  • Log out of your Geeklog site once you're done instead of letting the session expire. You may also want to lower the length of time your session is valid (see the "Remember Me For" option in "My Account").
  • Don't visit other websites, especially unknown sites, while you're logged in to your Geeklog site. Alternatively, use two separate browsers, i.e. two different programs. Using separate browser windows or tabs will not help.
  • Consider using an account with a minimal amount of privileges and use a separate account with more privileges only when necessary. For example, to publish stories you don't really need to be a member of the Root group, thus minimizing the potential damage that can be done in the event of a successful CSRF attack on that account.

Page navigation