In the range that I understand,
(There is a gap on the first or less at the date because local time has mixed.)
This security hole was reported by the third party in the forum on a certain site on January 17.
(you can find
google's cache)
Module author's wjue recognized this problem on the same day.
And, corrected new version 1.2.2 is released on January 28.
A part of site where it does it and back and forth and this module was used:
- SourceForge.jp : on January 21
http://sourceforge.jp/forum/forum.php?forum_id=4153- Deg-fanclubsued.de : on February 5.
http://www.myxoops.org/modules/newbb/viewtopic.php?topic_id=1899&forum=13The crackings were tried. The falsification was actually done for Sorceforge.JP.
This report has been submitted addressed to the server manager by the third party on February 3.
Though it seemed to have taken measures on the same day,
there was no report in XOOPS Japanese team at this point.
This matter was suddenly posted in the Sorceforge.JP forum on February 13.
And all users of Sorceforge.JP also got the report by mail.
It was reported in the Slashdot.JP and a part of mass communication in response to this.
-
http://slashdot.jp/article.pl?sid=04/02/13/0821250&topic=92-
http://internet.watch.impress.co.jp/cda/news/2004/02/13/2089.html-
http://www.itmedia.co.jp/enterprise/0402/13/epn04.htmlWe (XOOPS Japanese team) began investigating panicking, it tempered with the influence level to XOOPS in Japan, and it announced to public by news in the exception on February 13.
-
http://www.xoopscube.jp/modules/news/article.php?storyid=195And, because the part where the correction was insufficient was discovered by 1.2.2 when investigating,
The report was submitted from Onokazu to Module author's wjue.
Therefore, we think the posted patch code to be a temporary, to the private patch.
GIJOE - he is not member of XOOPS Japanese team - started this thread on February 13.
(It is the February 14 actually considerable from announcing to public of Japanese team.)
If GIJOE did not start up this thread, I will have been setting up the thread of this matter first.
The following settlement is in this thread.
# I'm tired to write...
I want to say,
- Do not say that someone is bad.
(Excluding the crackers)
- Let's discuss the problem in the entire XOOPS community.
(I think that the bug tracking and advisory of security are insufficient.)
- A lot of sites where the hole remains still exist.
(Shut your hole early by
fix! )