r1399 - geeklog-1.5.2sr2のセキュリティ修正を行いました。 (geeklog-jp commit) - geeklog-jp

Author: ivysoho
Date: Sat Apr  4 18:23:45 2009
New Revision: 1399

Modified:
    trunk/geeklog-1-jp/CHANGES.jp
    trunk/geeklog-1-jp/public_html/admin/install/index.php
    trunk/geeklog-1-jp/public_html/docs/changed-files
    trunk/geeklog-1-jp/public_html/docs/changes.html
    trunk/geeklog-1-jp/public_html/docs/history
    trunk/geeklog-1-jp/public_html/docs/history.html
    trunk/geeklog-1-jp/public_html/siteconfig.php
    trunk/geeklog-1-jp/system/lib-sessions.php

Log:
geeklog-1.5.2sr2のセキュリティ修正を行いました。
(http://www.geeklog.net/article.php/geeklog-1.5.2sr2)


Modified: trunk/geeklog-1-jp/CHANGES.jp
==============================================================================

--- trunk/geeklog-1-jp/CHANGES.jp	(original)
+++ trunk/geeklog-1-jp/CHANGES.jp	Sat Apr  4 18:23:45 2009
@@ -1,5 +1,10 @@
  $Id$

+2009-04-05  Tetsuko Komma  <ivysoho>
+
+	* geeklog-1.5.2sr2のセキュリティ修正を行いました。
+	  (http://www.geeklog.net/article.php/geeklog-1.5.2sr2)
+
  2009-04-04  Takahiro Kambe  <tacahi>

  	* geeklog-1.5.2sr1-jp-1.0をリリースします。

Modified: trunk/geeklog-1-jp/public_html/admin/install/index.php
==============================================================================
--- trunk/geeklog-1-jp/public_html/admin/install/index.php	(original)
+++ trunk/geeklog-1-jp/public_html/admin/install/index.php	Sat Apr  4  
18:23:45 2009
@@ -48,7 +48,7 @@
      define("LB", "\n");
  }
  if (!defined('VERSION')) {
-    define('VERSION', '1.5.2sr1');
+    define('VERSION', '1.5.2sr2');
  }
  if (!defined('XHTML')) {
      define('XHTML', ' /');

Modified: trunk/geeklog-1-jp/public_html/docs/changed-files
==============================================================================
--- trunk/geeklog-1-jp/public_html/docs/changed-files	(original)
+++ trunk/geeklog-1-jp/public_html/docs/changed-files	Sat Apr  4 18:23:45  
2009
@@ -1,6 +1,6 @@
-geeklog-1.5.2sr1/public_html/admin/install/index.php
-geeklog-1.5.2sr1/public_html/docs/changed-files
-geeklog-1.5.2sr1/public_html/docs/changes.html
-geeklog-1.5.2sr1/public_html/docs/history
-geeklog-1.5.2sr1/public_html/siteconfig.php
-geeklog-1.5.2sr1/system/lib-admin.php
+geeklog-1.5.2sr2/public_html/admin/install/index.php
+geeklog-1.5.2sr2/public_html/docs/changed-files
+geeklog-1.5.2sr2/public_html/docs/changes.html
+geeklog-1.5.2sr2/public_html/docs/history
+geeklog-1.5.2sr2/public_html/siteconfig.php
+geeklog-1.5.2sr2/system/lib-sessions.php

Modified: trunk/geeklog-1-jp/public_html/docs/changes.html
==============================================================================
--- trunk/geeklog-1-jp/public_html/docs/changes.html	(original)
+++ trunk/geeklog-1-jp/public_html/docs/changes.html	Sat Apr  4 18:23:45  
2009
@@ -16,6 +16,13 @@
  <p>このドキュメントでは最も重要な変更点や目につく変更点を簡潔に説明していま 
す。変更点の詳細なリストは、
  <a href="history">ChangeLog</a>をご覧ください。 
<tt>docs/changed-files</tt>には、前回リリース以来変更されたファイルの一覧が 
あります。</p>

+
+<h2><a name="changes152sr2">Geeklog 1.5.2sr2</a></h2>
+
+<p>Bookoo of the Nine Situations グループがglFusionに対してSQLインジェクシ 
ョンがあると報告しました。
+それはGeeklogにおいても同様です。この問題は，アタッカーがどのアカウントに対 
してもパスワードハッシュを行うもので，このバージョンで修正されました。.</p>
+
+
  <h2><a name="changes152sr1">Geeklog 1.5.2sr1</a></h2>

  Fernando Muñoz は，管理者用クエリフォームにおいて<a  
href="http://en.wikipedia.org/wiki/XSS" title="Click to look up 'XSS' on  
Wikipedia" style="text-decoration: none; color: black; border-bottom: 1px  
dotted black;">XSS</a>の問題を報告し，このリリースでフィックスしました。

Modified: trunk/geeklog-1-jp/public_html/docs/history
==============================================================================
--- trunk/geeklog-1-jp/public_html/docs/history	(original)
+++ trunk/geeklog-1-jp/public_html/docs/history	Sat Apr  4 18:23:45 2009
@@ -1,5 +1,15 @@
  Geeklog History/Changes:

+Apr 4, 2009 (1.5.2sr2)
+-----------
+
+This release addresses the following security issue:
+
+Bookoo of the Nine Situations Group posted an SQL injection exploit for  
glFusion
+that also works with Geeklog. This issue allowed an attacker to extract the
+password hash for any account and is fixed with this release.
+
+
  Mar 30, 2009 (1.5.2sr1)
  ------------

@@ -22,7 +32,7 @@
    [Dirk]
  - Display a message when sending the email for a new password failed [Dirk]

-- Updated Estonian language file for the Calendar plugin, provided by  
Artur R�pp
+- Updated Estonian language file for the Calendar plugin, provided by  
Artur R舊p
  - Updated Japanese language file, provided by the Geeklog.jp group

  Static Pages plugin
@@ -167,7 +177,7 @@
    set name was written in uppercase (bug #0000731) [Dirk]

  - Updated Hebrew language files, provided by LWC
-- Updated Estonian language files, provided by Artur R�pp
+- Updated Estonian language files, provided by Artur R舊p
  - Updated Japanese language files, provided by the Geeklog.jp group
  - Updated Slovenian language files, provided by gape

@@ -327,12 +337,12 @@
    when doing a database upgrade or re-running the install (reported by Mark
    Evans) [Dirk]
  - Links plugin: The word "Root" wasn't taken from the language file for  
the page
-  title of the public list of links (reported by Markus Wollschl�ger)  
[Dirk]
+  title of the public list of links (reported by Markus Wollschl臠er)  
[Dirk]
  - Fixed remaining places where the Admin panels had inconsistent layouts:
    Calendar list of events, Polls editor (bug #0000650) [Dirk]

  - Updated Hebrew language file, provided by LWC
-- Updated German language files, provided by Markus Wollschl�ger
+- Updated German language files, provided by Markus Wollschl臠er
  - Some Korean language files had a mixture of CR/LF and LF as line  
separators
    (bug #0000655) [Dirk]

@@ -373,7 +383,7 @@
  - Fixed problems with the text direction in the install script (reported  
by LWC)
    [Dirk]

-- Updated Estonian language files, provided by Artur R�pp
+- Updated Estonian language files, provided by Artur R舊p
  - Updated Hebrew language files, provided by LWC
  - Updated Japanese language files, provided by Takahiro Kambe, Tetsuko  
Komma,
    and the Geeklog.jp group
@@ -401,7 +411,7 @@
    future use (cf. bug #0000635) [Dirk]

  - Updated Chinese language files, provided by Samuel M. Stone
-- Updated Estonian language files, provided by Artur R�pp
+- Updated Estonian language files, provided by Artur R舊p
  - Updated Slovenian language file, provided by gape

  Calendar plugin
@@ -436,7 +446,7 @@
  - The URL sent in a user registration notification contained an &amp;  
where it
    should have been a simple & [Dirk]

-- Updated German language files, provided by Markus Wollschl�ger
+- Updated German language files, provided by Markus Wollschl臠er

  Links plugin
  ------------
@@ -459,7 +469,7 @@
    centerblock.thtml template file and defined the {lastupdate} and {hits}
    variables there (bug #0000628) [Dirk]
  - Removed an extra } from the Static Pages staticpage.thtml template file
-  (reported by Markus Wollschl�ger) [Dirk]
+  (reported by Markus Wollschl臠er) [Dirk]



@@ -475,7 +485,7 @@
  - Emails sent from Geeklog now have an X-Originating-IP header to help  
track
    spam or abuse [Dirk]
  - The topic editor allowed you to enter topic IDs with more than 20  
characters
-  (reported by Markus Wollschl�ger) [Dirk]
+  (reported by Markus Wollschl臠er) [Dirk]
  - Ease restriction that email addresses have to be unique: Remote accounts  
can
    have non-unique addresses, on-site accounts can't [Dirk]
  - Bug: Email user form doesn't display correctly with " in subject when  
sending
@@ -501,7 +511,7 @@
    (patches provided by dengen from geeklog.jp)
  - Added batch admin feature to send out account reminders [Blaine]
  - Hide "Create Account" link in the story submission form when new account
-  registration has been disabled (reported by Markus Wollschl�ger) [Dirk]
+  registration has been disabled (reported by Markus Wollschl臠er) [Dirk]
  - Updated COM_startBlock to set a unique {blockid} template variable  
[Blaine]
  - Fixed checking of "Show Admin lists" in Group Admin when going to 2nd  
page of
    results [Oliver]
@@ -686,7 +696,7 @@
  - In lists created from the Links and Calendar plugins,  
use "links-new-plugin"
    as the CSS class name [Oliver]

-- Updated Estonian language file, provided by Artur R�pp
+- Updated Estonian language file, provided by Artur R舊p
  - Updated Russian language file, provided by Alexander Yurchenko
  - New Russian language file for the Calendar plugin, provided by Alexander
    Yurchenko
@@ -842,7 +852,7 @@
    display when a user doesn't have a userphoto [Dirk]

  - New Estonian language files for Geeklog and most of the plugins, provided
-  by Artur R�pp
+  by Artur R舊p
  - Updated Hebrew language file, provided by LWC
  - Updated Japanese language files for Geeklog and all the plugins, provided
    by the Geeklog Japanese group

Modified: trunk/geeklog-1-jp/public_html/docs/history.html
==============================================================================
--- trunk/geeklog-1-jp/public_html/docs/history.html	(original)
+++ trunk/geeklog-1-jp/public_html/docs/history.html	Sat Apr  4 18:23:45  
2009
@@ -12,6 +12,17 @@
  <body>
  <h1>Geeklog History/Changes:</h1>

+
+<h2>Apr 4, 2009 (1.5.2sr2)</h2>
+
+<ul>
+  <li>This release addresses the following security issue:</li>
+  <li>Bookoo of the Nine Situations Group posted an SQL injection exploit  
for glFusion
+that also works with Geeklog. This issue allowed an attacker to extract the
+password hash for any account and is fixed with this release.</li>
+</ul>
+
+
  <h2>Mar 30, 2009 (1.5.2sr1)</h2>

  <ul>

Modified: trunk/geeklog-1-jp/public_html/siteconfig.php
==============================================================================
--- trunk/geeklog-1-jp/public_html/siteconfig.php	(original)
+++ trunk/geeklog-1-jp/public_html/siteconfig.php	Sat Apr  4 18:23:45 2009
@@ -38,7 +38,7 @@
    define('LB',"\n");
  }
  if (!defined('VERSION')) {
-  define('VERSION', '1.5.2sr1');
+  define('VERSION', '1.5.2sr2');
  }

  ?>

Modified: trunk/geeklog-1-jp/system/lib-sessions.php
==============================================================================
--- trunk/geeklog-1-jp/system/lib-sessions.php	(original)
+++ trunk/geeklog-1-jp/system/lib-sessions.php	Sat Apr  4 18:23:45 2009
@@ -8,7 +8,7 @@
  //  
|                                                                            
|
  // | Geeklog session  
library.                                                  |
  //  
+---------------------------------------------------------------------------+
-// | Copyright (C) 2000-2008 by the following  
authors:                         |
+// | Copyright (C) 2000-2009 by the following  
authors:                         |
  //  
|                                                                            
|
  // | Authors: Tony Bibbs       - tony AT tonybibbs DOT  
com                     |
  // |          Mark Limburg     - mlimburg AT users DOT sourceforge DOT  
net     |
@@ -29,8 +29,6 @@
  // | Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,  
USA.           |
  //  
|                                                                            
|
  //  
+---------------------------------------------------------------------------+
-//
-// $Id: lib-sessions.php,v 1.47 2008/09/21 08:37:12 dhaun Exp $

  /**
  * This is the session management library for Geeklog.  Some of this code  
was
@@ -418,7 +416,7 @@
      if ($md5_based == 1) {
          $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime  
WHERE (md5_sess_id = '$sessid')";
      } else {
-        $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime  
WHERE (sess_id = $sessid)";
+        $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime  
WHERE (sess_id = '$sessid')";
      }

      $result = DB_query($sql);


geeklog-jp

[geeklog-jp commit] r1399 - geeklog-1.5.2sr2のセキュリティ修正を行いました。