The secure CMS.

Welcome to Geeklog, Anonymous Thursday, December 26 2024 @ 01:53 am EST

Security

Security Flaw in Geeklog/Gallery Plugin

  • Tuesday, December 09 2003 @ 10:48 pm EST
  • Contributed by:
  • Views: 17,965
Security Those of you Geeklog users who use the Geeklog/Gallery plugin are being advised of a security issue that arises as a result of PHP's register_globals being on. As we explain here we do require register_globals to be on but Geeklog manages this securely. However, the Geeklog/Gallery plugin does not. To be 100% clear, this advisory does not effect Geeklog sites which do not use the Gallery plugin.

For those of you using the Geeklog Gallery plugin, you should comment all references to $GEEKLOG_DIR in the plugin. Instances of this can be found in:

Geeklog 1.3.8-1sr3 and 1.3.7sr4 security updates

  • Saturday, December 06 2003 @ 02:00 pm EST
  • Contributed by:
  • Views: 9,375
Security These updates fix a few minor security-related issues:
  1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
  2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users.
    On 1.3.8-1sr3, there is now also a speed limit when sending emails to users.
  3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
  4. It was possible to post comments under someone else's username.

As usual, there's an upgrade and complete tarball for 1.3.8-1sr3. The 1.3.7sr4 upgrade is only available as an upgrade tarball and requires 1.3.7sr3.

* sigh * Comment posting was so secure now that it didn't let you post any comments at all. The problem has been fixed and the tarballs have been updated. Please replace comment.php (if you've downloaded the full tarball, you only need the upgrade tarball now). Sorry about that.

Geeklog Security

  • Wednesday, October 29 2003 @ 04:29 pm EST
  • Contributed by:
  • Views: 10,252
Security The Geeklog Development Team has created a new page devoted to security issues related to our product. This new page is our attempt to show all of you in the community the importance we put on security, to discuss how we handle security issues and to give you a single place to get a feel for how secure Geeklog really is. If there is something that you all feel is missing or more detail you would like please provide us with some suggestions.

Page navigation