News

A new integration has been released for Gallery 1.4-pl1 and Geeklog 1.3.8.

The major change in this release of the integration is a new installation method. The integration file contains a complete gallery install modified for Geeklog. Just follow the install or upgrade directions for gallery (including completing two new configuration options), and the install is complete. No hacking of php files required.

Download (direct link) the file from GPlugs now.

*Note the filename was accidently named gallery_1.3.4-pl1_1.3.8.tar.gz, this does actually contain the gallery 1.4-pl1 release though.

I've just re-written a module I wrote for PHP-Nuke for Geeklog 1.3.8 or better. The plugin is an alternative/complimentary links system. Revolving around the standard 88x31 button links that so many sites use.

The plugin allows users to submit their site for a link on your site, with a button link provided. On link submission, a link back is generated (or set of if you have multiple buttons). The plugin then displays all button links in a nice page, and provides a phpblock function to allow you to list top referers, top visited sites, fixed selection of links or random links, or any combination of them. Full admin and stats integration.

You can see it working: Here and download it Here or on on SF.net

I'm sure by now many of you have heard of the Geeklog security issues that have been posted on lists such as Full Disclosure and Bugtraq.

One of the issues mentioned in that post regards the injection of HTML in the Shoutbox and can easily be addressed, as explained in the story "Fix your Shoutbox!".

The more scary bits, however, are those of the acclaimed SQL injection. Three members of the Geeklog development team have now been trying to reproduce these issues - and failed. That's not to say that the issues do not exist, but it seems they are a lot harder to exploit than the post claims. Even the person reporting the issues couldn't (or wouldn't) produce a working example.

So, we are still looking into it and will come up with a solution to filter these injections, just in case, eventually. In the meantime, it looks like this issue is not as dramatic as it first seemed.

We would also like to point out that the person who published that report didn't contact us before doing so. It could have avoided a lot of confusion and even misinformation (the post even claims to have found the problem in a 2.x version of Geeklog that doesn't exist yet). This is certainly not a very professional way to handle security issues. Regardless, we are taking the claims seriously and we are looking into the matter as we speak.