Welcome to Geeklog, Anonymous Wednesday, December 25 2024 @ 01:55 pm EST

Security

Geeklog 1.3.11sr3

  • Sunday, December 18 2005 @ 10:30 am EST
  • Contributed by:
  • Views: 21,216
Security

Geeklog 1.3.11sr3 addresses two security issues as well as a few bugs:

  • It was possible to submit comments even if you didn't have read permissions for the story or the topic, provided you knew the story's ID (reported by LWC).
  • When tampering with the dates in a search, Geeklog produced a warning message that would disclose the path in which Geeklog was installed on the server (reported by r0t3d3Vil). It was not possible to use this for SQL injections.

The most notable bugfix in this release addresses the problems editing static pages when 'url_rewrite' was enabled (that bug was only introduced in 1.3.11sr2).

As usual, we provide both a complete 1.3.11sr3 tarball as well as an upgrade over 1.3.11sr2 (please see the included installation instructions).

Note: Both issues also exist in Geeklog 1.4.0b1 but have since been fixed in CVS. We will be releasing 1.4.0rc1 in a couple of days. In the meantime, you can get the nightly tarball if you want to update your 1.4.0b1 install now.

Geeklog 1.3.11sr2

  • Sunday, October 09 2005 @ 04:55 am EDT
  • Contributed by:
  • Views: 14,141
Security

Since the development of Geeklog 1.3.12 takes much longer than anticipated, we thought we'd make some of the security enhancements and improved spam protection we developed for 1.3.12 available to users of Geeklog 1.3.11. We also threw in a few bugfixes.

  • Added a login speed limit, kicking in after 3 failed login attempts (configurable in config.php).
  • Filter linefeeds from the To:, From:, and Subject: fields of any email sent through COM_mail.
  • Checks for spam are now done for comments, story, link, and event submissions, the message sent with the "email story to a friend" option, and for the contents of the user profile.
  • Spammers get a 403 HTTP response code now and have to wait for the submission speed limit to expire.
  • Spam-X plugin 1.0.2 included (with the default URL for MT-Blacklist changed to geeklog.net, due to MT-Blacklist being discontinued).

Bugfixes include a fix for a problem with PHP 5.0.5, better handling of special characters in email addresses, a fix for the staticpage: autotag throwing an SQL error, updated kses filter, and a few more.

See the list of changes for more information.

As usual, we provide an upgrade from 1.3.11sr1 and a complete 1.3.11sr2 tarball.

Geeklog 1.3.11sr1 and 1.3.9sr4

  • Sunday, July 03 2005 @ 04:11 pm EDT
  • Contributed by:
  • Views: 23,580
Security

Stefan Esser has found an SQL injection vulnerability in Geeklog that can, under certain circumstances, be used to extract sensitive user data such as a user's password hash. We are therefore releasing security updates to address this issue and would advise you to upgrade ASAP.

There are upgrade archives available to upgrade from Geeklog 1.3.11 and Geeklog 1.3.9sr3, as well as a complete tarball for Geeklog 1.3.11sr1 (for new installations).

Users of Geeklog 1.3.10 please read on ...

Page navigation