Welcome to Geeklog, Anonymous Wednesday, December 25 2024 @ 02:41 pm EST

Security

Geeklog 1.4.0sr3 and 1.3.11sr6

  • Sunday, May 28 2006 @ 11:15 am EDT
  • Contributed by:
  • Views: 16,797
Security The Security Science Researchers Institute Of Iran (KAPDA.ir) has reported the following security issues in Geeklog:
  1. Possible SQL injection and authentication bypass in auth.inc.php
  2. Possible XSS in getimage.php
  3. Path disclosure in getimage.php and the functions.php of some themes, e.g. the Professional theme

Additionally, an internal code review has revealed another possible SQL injection in the story submission.

We are therefore releasing Geeklog 1.4.0sr3 (complete tarball, upgrade archive) and Geeklog 1.3.11sr6 (upgrade archive, combo update) to address these issues and would suggest that you install these as soon as possible.

Read on for more information ...

Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5

  • Sunday, March 05 2006 @ 03:33 pm EST
  • Contributed by:
  • Views: 28,288
Security

Unfortunately, yet another Geeklog security issue has surfaced: Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. This bug exists in all Geeklog versions released since 2002.

To address this serious issue, we are releasing the following security updates and strongly suggest that you upgrade your site as soon as possible.

The 1.4.0sr2 update also strips HTML tags from the location entry in a user's profile (a problem that only existed in 1.4.0). The 1.3.9sr5 update also includes the fixes for the earlier security issues. While Geeklog 1.3.9 isn't officially supported any more, we're making an exception here because of the severity of the issues and since many people still seem to be using that version. Nevertheless, we'd suggest that you upgrade to 1.4.0 at your earliest convenience.

Geeklog 1.4.0sr1 and 1.3.11sr4

  • Sunday, February 19 2006 @ 03:30 pm EST
  • Contributed by:
  • Views: 32,850
Security

James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code. To fix those issues, we are releasing Geeklog 1.4.0sr1 and 1.3.11sr4 and strongly suggest that you install those updates as soon as possible.

For Geeklog 1.4.0, there's the complete 1.4.0sr1 tarball as well as an upgrade archive containing only the necessary changes over 1.4.0.

To upgrade from Geeklog 1.3.11sr3, use the 1.3.11sr4 upgrade archive. If you're running on an older 1.3.11 release, you will have to install the previous updates first. You can, of course, always choose to update to 1.4.0sr1 directly, following the usual upgrade instructions.

Upgrading to 1.4.0sr1 is also what we suggest to anyone using a Geeklog version older than 1.3.11, as the reported issues also affect all earlier versions.

Page navigation