Security: XOOPS 2.3.2b - Security Release
Posted by: phpppOn 2008/12/7 12:10:00 40468 readsThe security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.
This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.
In the 2.3.2b release we have further improved security fixes with help from DSRG.
All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.
XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.
Download from Sourceforge repository.
System requirements ----------------------------------- PHP: Any PHP version >= 4.3 (PHP 4.2.x may work but is not officially supported, PHP 5.0+ is strongly recommended) MySQL: MySQL server 3.23+ (MySQL 5.0+ is strongly recommended) Web server: Any server supporting the required PHP version (Apache highly recommended) Downloading XOOPS 2.3.2b ----------------------------------- Your can get this release package from the Sourceforge repository. Both .zip and .gz archives are provided. Installing XOOPS 2.3.2b ----------------------------------- 1. Copy the content of the htdocs/ folder where it can be accessed by your server 2. Ensure mainfile.php and uploads/ are writable by the web server 3. For security considerations, you are encouraged to move directories "/xoops_lib" (for XOOPS libraries) and "/xoops_data" (for XOOPS data) out of document root, or even change the folder names. 4. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 5. Access the folder where you installed the htdocs/ files using your web browser to launch the installation wizard Installing Protector in XOOPS 2.3.2 ----------------------------------- We also highly recommend the installation of the PROTECTOR module which will bring additional security protection and logging capabilities to your site: To install Protector module for the first time with a new installation of XOOPS 2.3.2, copy /extras/mainfile.dist.php.protector to /htdocs/mainfile.dist.php BEFORE installing XOOPS. If you are upgrading an existing XOOPS Website (see below how to do it), and Protector is already installed there, copy /extras/mainfile.dist.php.protector to /upgrade/upd-2.0.18-to-2.3.0/mainfile.dist.php BEFORE upgrading XOOPS. Upgrading from a previous version ----------------------------------- As always, make sure you have a fresh BACKUP before you upgrade!!! Upgrading from XOOPS 2.3.x (easy way) 1. Get the update package from the sourceforge file repository 2. Overwrite your existing files with the new ones 3. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine 4. Access
define('_CHARSET', 'UTF-8');