Welcome to Geeklog, Anonymous Wednesday, December 25 2024 @ 02:52 pm EST

Security

Geeklog 1.3.11

  • Friday, December 31 2004 @ 12:43 pm EST
  • Contributed by:
  • Views: 19,338
Security Geeklog 1.3.11 is both a bugfix and a security update over Geeklog 1.3.10. It fixes the following security issues:
  1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong).
    These stories still ended up in the submission queue, though, unless you disabled it in config.php.
  2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.
  3. The links for the What's Related block were created from the unfiltered story text, opening the possibility of XSS attacks (reported by Vincent Furia).

This update is strongly recommended for all users of Geeklog 1.3.10 since, in addition to the above security issues, it also fixes quite a few bugs in 1.3.10. Geeklog 1.3.11 is also meant as a replacement for 1.3.10, i.e. there will be no further development for 1.3.10.

Installation instructions follow ...

Geeklog 1.3.9sr3

  • Friday, December 31 2004 @ 12:40 pm EST
  • Contributed by:
  • Views: 9,471
Security Geeklog 1.3.9sr3 fixes the following security issues in Geeklog 1.3.9sr2:
  1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong).
    These stories still ended up in the submission queue, though, unless you disabled it in config.php.
  2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.

The upgrade archive contains only one file (submit.php), so this should be easy to install.

If you're on an older version of Geeklog, we recommend you upgrade to Geeklog 1.3.11 instead.

Offtopic: phpBB worm in the wild

  • Wednesday, December 22 2004 @ 04:00 am EST
  • Contributed by:
  • Views: 34,237
Security

This isn't exactly Geeklog-related, but since quite a few sites seem to be running phpBB (with or without the phpBBBridge), I'd like to point out that there's a worm going around at the moment that exploits a bug in phpBB versions 2.0.10 and earlier.

This seems to be the first time (at least that I'm aware of) that an automatic exploit for a web application is in the wild. The worm uses Google to search for phpBB boards, infects them, and then continues to spread from there. Infected sites show a red text "NeverEverNoSanity WebWorm Generation" (followed by a number) on a black background. More information about the worm can be found in the usual places, e.g. Bugtraq.

So to all phpBB users out there: Upgrade to phpBB 2.0.11 ASAP.

Update: According to F-Secure, Google is now blocking the requests of the worm (dubbed "Santy"), which should stop it for now (until a new worm comes, that uses another search engine ...). It's still strongly recommended to update phpBB, of course.

Page navigation