Welcome to Geeklog, Anonymous Wednesday, December 25 2024 @ 02:26 am EST

Security

CAPTCHA v2.1.2 Released

  • Thursday, May 24 2007 @ 11:22 am EDT
  • Contributed by:
  • Views: 7,927
Security

CAPTCHA v2.1.2 has been released to address a security vulnerability I discovered in the code this morning. All CAPTCHA users are encouraged to upgrade as soon as possible. The upgrade process is very straight forward, simply copy over the new source files, then go into your Plugin Manager and select Update for the CAPTCHA plugin.

There is one other small tweak, if the session start fails, it will do so silently, no longer causing scripts to stop. This should resolve any issues with the emailgeeklogstories cron script.

Security Vulnerability in Media Gallery v1.4x

  • Tuesday, May 15 2007 @ 09:53 am EDT
  • Contributed by:
  • Views: 8,458
Security A security vulnerability has been identified in Media Gallery affecting all of the v1.4 releases. This vulnerability could allow properly crafted URLs to load files onto your web server and potentially overwrite existing files. Media Gallery v1.4.8b has been released to address this vulnerability and should be upgraded immediately! My thanks to Max for reporting this issue this morning and providing the relevant site logs to validate the vulnerability.

If you do not want to upgrade to the latest version of Media Gallery, you should apply the following patch:

Edit mediagallery/maint/ftpmedia.php

Near the top, immediately before the following line:

require_once($_MG_CONF['path_html'] . 'lib-batch.php');

Add the following code:

// this file can't be used on its own
if (strpos ($_SERVER['PHP_SELF'], 'ftpmedia.php') !== false)
{
    die ('This file can not be used on its own.');
}

Save ftpmedia.php. This should resolve the issue.

For more information on other enhancements and fixes to Media Gallery v1.4.8b, please see www.gllabs.org.

Thanks!
Mark

Geeklog 1.4.0sr5 and 1.3.11sr7

  • Sunday, July 16 2006 @ 12:00 pm EDT
  • Contributed by:
  • Views: 25,153
Security

JPCERT/CC informed us about a possible XSS in the comment handling that we're fixing with the following releases:

Upgrades should be straightforward as you'll only have to replace one file (lib-comment.php for Geeklog 1.4.0 and comment.php for Geeklog 1.3.11).

Page navigation