Welcome to Geeklog, Anonymous Tuesday, December 24 2024 @ 08:59 pm EST

News

Fighting Trackback spam

  • Sunday, June 04 2006 @ 04:40 am EDT
  • Contributed by:
  • Views: 53,263
Spam

We're probably not the only ones seeing a sharp increase in the amount of Trackback spam over the last couple of weeks. Trackbacks are a new feature in Geeklog 1.4.0 and we're still learning ...

So here's a first result of that learning process: A new version of the lib-trackback.php for Geeklog 1.4.0 that contains a few improvements to better fight Trackback spam:

  • a separate speedlimit setting for Trackbacks
  • stricter handling of the speedlimit for Trackbacks
  • can optionally check if the site that sent the Trackback actually contains a link to your site
  • option to log rejected Trackbacks

Geeklog 1.4.0sr3 and 1.3.11sr6

  • Sunday, May 28 2006 @ 11:15 am EDT
  • Contributed by:
  • Views: 16,795
Security The Security Science Researchers Institute Of Iran (KAPDA.ir) has reported the following security issues in Geeklog:
  1. Possible SQL injection and authentication bypass in auth.inc.php
  2. Possible XSS in getimage.php
  3. Path disclosure in getimage.php and the functions.php of some themes, e.g. the Professional theme

Additionally, an internal code review has revealed another possible SQL injection in the story submission.

We are therefore releasing Geeklog 1.4.0sr3 (complete tarball, upgrade archive) and Geeklog 1.3.11sr6 (upgrade archive, combo update) to address these issues and would suggest that you install these as soon as possible.

Read on for more information ...

Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5

  • Sunday, March 05 2006 @ 03:33 pm EST
  • Contributed by:
  • Views: 28,282
Security

Unfortunately, yet another Geeklog security issue has surfaced: Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. This bug exists in all Geeklog versions released since 2002.

To address this serious issue, we are releasing the following security updates and strongly suggest that you upgrade your site as soon as possible.

The 1.4.0sr2 update also strips HTML tags from the location entry in a user's profile (a problem that only existed in 1.4.0). The 1.3.9sr5 update also includes the fixes for the earlier security issues. While Geeklog 1.3.9 isn't officially supported any more, we're making an exception here because of the severity of the issues and since many people still seem to be using that version. Nevertheless, we'd suggest that you upgrade to 1.4.0 at your earliest convenience.

Page navigation