Geeklog Documentation

Changes

This document is intended to give a quick overview over the most important and / or obvious changes. For a detailed list of changes, please consult the ChangeLog. The file docs/changed-files has a list of files that have been changed since the last release.

Geeklog 1.3.11

Geeklog 1.3.11 is a bugfix and security release over Geeklog 1.3.10 and is meant to replace 1.3.10. The change in the version number was necessary since one of the bugfixes involves a change in the database.

Security issues

  1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong).
    These stories still ended up in the submission queue, though, unless you disabled it in config.php.
  2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.
  3. The links for the What's Related block were created from the unfiltered story text, opening the possibility of XSS attacks (reported by Vincent Furia).

Bugfixes

We strongly advise users of Geeklog 1.3.10 to upgrade to 1.3.11 ASAP. Upgrading should be relatively painless, as there weren't any changes in the themes, language files, or config.php over 1.3.10.

Geeklog 1.3.10

New Default Theme

This release comes with a new default theme: We've chosen the Professional theme, kindly provided by Victor B. Gonzalez (of Aeonserv fame). The theme has been modified slightly and is now fully HTML 4.01 and CSS compliant.

We've also decided to remove the old set of themes (Classic, Clean, Digital Monchrome, Gameserver, Smooth Blue, XSilver, Yahoo) from the distribution. They are now available as a separate tarball.

New Features

Other Improvements

Comments

Security-related fixes

Note: All of the following bugs were problems with Geeklog's permissions system and fall into the "information leakage" category, i.e. under certain circumstances, site content was visible to persons who shouldn't be able to see it. None of these bugs were exploitable in the sense that they could be used to gain privileges or cause damage to Geeklog or the environment it's running in.

Other bugfixes

Please note that there have also been theme changes, some of which are important to make the new features work (e.g. the editable story IDs and the story archive options)!

This release contains various improvements provided by the Geeklog community (see the docs/history file for proper credits). Thank you!

Geeklog 1.3.9sr3

This release addresses the following security issues:

  1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong).
    These stories still ended up in the submission queue, though, unless you disabled it in config.php.
  2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.

Geeklog 1.3.9sr2

This release addresses the following security issues:

  1. Fixed a cross site scripting vulnerability caused by using the variable $topic in the language files (bug #293).
  2. Prevent comment posts on stories or polls were comment posting has been disabled.

Other fixes

Geeklog 1.3.9sr1

This release addresses the following security issues:

  1. It was possible to post anonymous comments, even when anonymous comment posting had been switched off in config.php.
    This bug was apparently exploited by spammers to send hundreds of spam posts to certain Geeklog sites.
  2. Added additional speed limit checks for comments and submissions.
  3. If none of the topics were visible for anonymous users, the site's index page may still have displayed some stories for anonymous users, depending on the stories' permissions.
  4. Users still got Daily Digest emails for topics from which they had been removed (bug #178).
  5. It was possible to subscribe to the Daily Digest for all topics, even if the user did not have access to certain topics.
  6. Comments to stories were sometimes listed in a user's profile, even if the user viewing the profile didn't have permissions to access the story the comments belonged to.

Other fixes

Geeklog 1.3.9

New Features

Please see the themes documentation for a complete list of theme changes.

Also included is the Static Pages plugin 1.4, which now has, among other improvements, a second option to include PHP in static pages without having to use the PHP return statement.

Bugfixes

There have also been a lot of changes to improve security, especially against SQL injections.

Geeklog 1.3.8-1sr6

This release addresses the following security issues:

  1. Fixed a cross site scripting vulnerability caused by using the variable $topic in the language files (bug #293).
  2. Prevent comment posts on stories or polls were comment posting has been disabled.

Geeklog 1.3.8-1sr5

This release addresses the following security issue:

  1. It was possible to post anonymous comments, even when anonymous comment posting had been switched off in config.php.
    This bug was apparently exploited by spammers to send hundreds of spam posts to certain Geeklog sites.

Geeklog 1.3.8-1sr4

This release addresses the following security issues:

  1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
  2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
  3. It was possible to delete other people's personal events if you knew the event ID.
  4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
  5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
  6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
  7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
  8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

Geeklog 1.3.8-1sr3

This release addresses the following security-related issues:

  1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
  2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users. In addition to fixing theses issues, there is now also a speed limit on that form (defaults to the speed limit for story submissions).
  3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
  4. It was possible to post comments under someone else's username.

Geeklog 1.3.8-1sr2

Jouko Pynnonen found a way to trick the new "forgot password" feature, introduced in 1.3.8, into letting an attacker change the password for any account. This release addresses this issue - there were no other changes.

Obviously, we strongly recommend to upgrade as soon as possible.

Geeklog 1.3.8-1sr1

The purpose of this release is to address some of the security issues reported in September and early October 2003. We strongly recommend upgrading to this version.

Security issues

  1. By including Ulf Harnhammar's kses HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.
  2. Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).

Please note that at the moment we do not recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.

Other fixes

Geeklog 1.3.8-1

Geeklog 1.3.8-1 is a bugfix release over Geeklog 1.3.8. It contains a variety of (mostly minor) bugfixes. None of those fixes are security-related.

Bugfixes

The full 1.3.8-1 tarball also includes new and updated language files (see the Changelog for details).

Geeklog 1.3.8

New Features

Geeklog 1.3.8 Includes the Static Pages 1.3 plugin which replaces both the Static Pages 1.1 and 1.2 plugins. See the Static Pages documentation for details.

Bugfixes

Geeklog 1.3.7sr5

This release addresses the following security issues:

  1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
  2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
  3. It was possible to delete other people's personal events if you knew the event ID.
  4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
  5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
  6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
  7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
  8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

Geeklog 1.3.7sr4

This release addresses the following security-related issues:

  1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
  2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users.
  3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
  4. It was possible to post comments under someone else's username.

Geeklog 1.3.7sr3

The purpose of this release is to address some of the security issues reported in September and early October 2003. If you don't plan to upgrade to the latest version of Geeklog (1.3.8-1sr1, at the time of this writing), we strongly suggest you upgrade to at least 1.3.7sr3 instead.

Security issues

  1. By including Ulf Harnhammar's kses HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.
  2. Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).

Please note that at the moment we do not recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.

Geeklog 1.3.7sr2

Security issues

The purpose of this release is to fix the following security issues. All users are strongly encouraged to upgrade to this version ASAP.

  1. It was possible to obtain valid session ids for every account on a Geeklog site, including the Admin account (reported by SCAN Associates).
  2. Using Internet Explorer, it was possible to upload an image with embedded PHP code and execute it (reported by SCAN Associates).
  3. Story permissions could override topic permissions, resulting in the display of stories to users who shouldn't have access to them (reported by Andrew Lawlor). This was already fixed with the new index.php, released 2003-05-15.
  4. Added a warning in config.php that adding any of the following tags to the list of allowable HTML can make the site vulnerable to scripting attacks:
    <img> <span> <marquee> <script> <embed> <object> <iframe>
    (pointed out by Joat Dede).

This update also includes fixes for the notorious "permission denied" error messages that some users would get in the Admin area (e.g. when trying to save a story and being "only" a user with Story Admin permissions).

The full 1.3.7sr2 tarball also includes various new and updated language files (see the Changelog for details).

Geeklog 1.3.7sr1

Security issues

The main purpose of this release is to fix the following security issues. All users are strongly recommended to upgrade to this version.

  1. Javascript code could be injected in the homepage field of a user's profile (reported by Jin Yean Tan).
  2. Javascript code could be injected in certain URLs to be used in a cross-site scripting attack (reported by Jin Yean Tan).
  3. Comments could be deleted by anybody if they knew the comment id (which is not normally visible).
  4. A StoryAdmin could manipulate stories even if s/he did not have access to them (e.g. when s/he was not a member of a certain group). The same applied to Admins for events, links, polls, topics, and blocks (reported by Kobaz).

Other Bugfixes

Documentation and hard-coded links (version check, link to Geeklog in a site's footer) have been updated to point to www.geeklog.net.

Geeklog 1.3.7

New Features

Bugfixes

Contributors: Blaine Lang, Vincent Furia, and Kenn Osborne have contributed to this release. Thank you!

Speeding up Geeklog (a bit)

If you're upgrading from 1.3.6 or older versions, you may want to run the script called addindex.php that you will find in the install directory. This script adds index fields to some of Geeklog's database tables which should improve overall access times a bit.

This has been implemented as a separate script (and not as part of the upgrade process of the install script) since it may take some time to run, depending on how many users / stories / etc. you have in your database. Some people may even run into timeouts, e.g. when their hosting service limits the execution time of PHP scripts. If that happens to you - Don't Panic. Simply run the script again (and again and ...) until it reports that it didn't add any fields to any tables.

Please note that you do not need to run this script if you're doing a fresh install of Geeklog 1.3.7. A database created during a fresh install already has the new index fields.

Geeklog 1.3.6

New Features

Bugfixes

Notes

Contributors: Gene Wood, Blaine Lang, Tom Willet, and Roger Webster have contributed to this release. Thank you!