Fork me on GitHub



Make donations with PayPal!
Goal: $100.00
Due Date: Oct 31
Gross Amount: $25.00
Net Balance: $23.72
Left to go: $76.28

kakos  ($25)Oct-25

GitHub Twitter

Learn XOOPS Core

Local Support


XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

- 2 2.5 2.6 4 6 admin adslight Android AntiHarvesting AntiSpam API Apple Battlefield billige Blocks Bootstrap Captcha cell cent chronolabs Clicks Cloud content CĂN demo download Dresses facebook Fat floor Gateway giải Google Guide herre Home Honeypot html5 Human HỘ IP iPhone jQuery Language Law Legal List Loss module modules Monster new newbb news nhiệt NHÀ online PARK Payment phone PHP Prevention profile project Protector publisher RESIDENCE responsive review Rights Room security Sentry Signatures Signed site Smartphone Smarty Smoking Solution Spam stem Studio support tag tdmcreate The Theme themes tháp User userlog weight xoops Xortify XPayment ZendFramework

New Users

Registering user

# 139440


Welcome to XOOPS!


News archives

Security Patch for XOOPS 2.5.6

Posted by Mamba on 2013/9/24 15:40:00 (8103 reads) | Posted on Security
As always, security is on top of priority list of XOOPS!

Current users of XOOPS 2.5.6 are encouraged to download and apply a Security Patch.

Download: SourceForge File Repository

This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.

While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we recommend strongly to apply this patch to ALL XOOPS 2.5.6 Websites.

It is not enough to stress that you should ALWAYS have Protector installed!!!

How to Apply the Patch:
You will need as minimum PHP 5.3.7

Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website.
No other action is needed.

For users of XOOPS Versions older than 2.5.6

Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version.

As of today, all XOOPS 2.5.6 versions available for download have been all patched.

Wishing everybody Happy and Safe Xoopsing!

XOOPS Core Team

Printer friendly page Send this story to a friend Create a PDF from the article
Bookmark Me
Bookmark to Google Plus
The comments are owned by the author. We aren't responsible for their content.

10x a lot !!!

I think the captcha from 2.5.5 was also better than 2.5.6 and you can do it too
Published: 2013/9/24 16:20 • Updated: 2013/9/24 16:20
I have blank page when trying to log in.
Can i make some special rules in "Protector" before install this pack?
Published: 2013/9/25 4:27 • Updated: 2013/9/25 4:27
What exactly happened? What steps did you take?

Did you just copy the files and right after you got a blank screen? Did you do anything else?

What PHP version do you have?
Published: 2013/9/25 7:03 • Updated: 2013/9/25 7:03
Same here, blank page on login. No protector installed. All xoops caches and browser cache cleared. Very disappointing for a "security" update.
Published: 2013/9/25 7:04 • Updated: 2013/9/25 7:04
Feichtl, sorry to hear that.

Obviously we did test it, and as first, before going live, we've updated XOOPS Website to make sure that everything is working.

I've sent you a message, please contact me and I'll try to help you.

[EDIT] I installed fresh the old XOOPS 2.5.6, updated as directed, and tested on PHP:

And on all of the worked without any problems.
Published: 2013/9/25 7:31 • Updated: 2013/9/25 7:47
Michael, sorry for my complaint. Your answer came to fast!

I patched two sites at a time. One of them was working after the patch, the other one had the blank page on login. Your hint to "PHP verison" made the point. One of the sites ran on PHP 5.2.6. After switching to 5.3 everything is OK again.

So, sorry again and i hope to help other users with my experience.
Published: 2013/9/25 7:47 • Updated: 2013/9/25 7:47
I am glad that everything worked out for you, and we have again a Happy XOOPS User in you
Published: 2013/9/25 8:12 • Updated: 2013/9/25 8:12
php 5.2.. ohhh :) Is it necessary to run 5.3.. ?
Published: 2013/9/25 8:31 • Updated: 2013/9/25 8:31
Published: 2013/9/25 8:55 • Updated: 2013/9/25 8:55
brutalicuss, you should be already on PHP 5.4.x, as it fixes many issues, and PHP 5.3 has already reached end of its life, as it has been announced on July 11th, 2013.

Sure, many hosts will use PHP 5.3.x for a little bit longer, but PHP 5.2.x should be already long time ago put in storage

So do yourself a favor and update your PHP to at least 5.3.7 - you'll increase security, performance, and compatibility of your server.
Published: 2013/9/25 9:06 • Updated: 2013/9/25 9:06
Ok Mamba, 10x again :)

Im in hostgator some really baby plan, and now i succeed only 5.3.27 via htaccess. This is the maximum for this shared plan

But anyway, the new security files working now.. at least
Published: 2013/9/25 9:49 • Updated: 2013/9/25 9:49