Fork me on GitHub
Get XOOPS XOOPSXOOPS FAQFAQ ForumsForums NewsNews ThemesThemes ModulesModules
News World of XOOPS Developers Hacks Modules Themes YAXS Archive Submit News

Search

Nominate XOOPS!

Learn XOOPS Core

Donat-O-Meter

Make donations with PayPal!
Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $15.00
Net Balance: $14.11
Left to go: $85.89

Donations
Anonymous ($15)Jul-20

Local Support

Advertisement

XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

- 2 2.5 2.6 4 6 2013 Abuse adslight Android AntiHarvesting AntiSpam API Apple Battlefield Blocks Bootstrap Captcha cell chronolabs Clicks content CĂN demo download Dresses facebook Fat floor for free Gateway Google Guide herre Home Honeypot HP html5 Human HỘ iPhone jQuery Language List log Loss mobile module modules Monster new newbb news NHÀ online PARK Payment phone PHP Prevention profile project Protector publisher Rapid RESIDENCE responsive review Rights rmcommon Room security Sentry site Smartphone Smarty Smoking Solution Spam stem Studio support tag tags tdmcreate The Theme themes User userlog web weight Wishcraft xoops Xortify XPayment ZendFramework

New Users

Registering user

# 137617

nasro

Welcome to XOOPS!

Archives

News Archives

Security Patch for XOOPS 2.5.6

Posted by Mamba on 2013/9/24 14:40:00 (4786 reads) | Posted on Security
As always, security is on top of priority list of XOOPS!

Current users of XOOPS 2.5.6 are encouraged to download and apply a Security Patch.

Download: SourceForge File Repository


This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.

While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we recommend strongly to apply this patch to ALL XOOPS 2.5.6 Websites.


It is not enough to stress that you should ALWAYS have Protector installed!!!


How to Apply the Patch:
--------------------------
You will need as minimum PHP 5.3.7

Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website.
No other action is needed.


==============================================
For users of XOOPS Versions older than 2.5.6
==============================================

Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version.

As of today, all XOOPS 2.5.6 versions available for download have been all patched.

Wishing everybody Happy and Safe Xoopsing!

XOOPS Core Team
2013-09-24


Printer Friendly Page Send this Story to a Friend Create a PDF from the article
Bookmark Me
Bookmark to Google Plus
The comments are owned by the author. We aren't responsible for their content.

10x a lot !!!

I think the captcha from 2.5.5 was also better than 2.5.6 and you can do it too
Published: 2013/9/24 15:20 • Updated: 2013/9/24 15:20
I have blank page when trying to log in.
Can i make some special rules in "Protector" before install this pack?
Published: 2013/9/25 3:27 • Updated: 2013/9/25 3:27
What exactly happened? What steps did you take?

Did you just copy the files and right after you got a blank screen? Did you do anything else?

What PHP version do you have?
Published: 2013/9/25 6:03 • Updated: 2013/9/25 6:03
Same here, blank page on login. No protector installed. All xoops caches and browser cache cleared. Very disappointing for a "security" update.
Published: 2013/9/25 6:04 • Updated: 2013/9/25 6:04
Feichtl, sorry to hear that.

Obviously we did test it, and as first, before going live, we've updated XOOPS Website to make sure that everything is working.

I've sent you a message, please contact me and I'll try to help you.

[EDIT] I installed fresh the old XOOPS 2.5.6, updated as directed, and tested on PHP:
5.3.13
5.4.20
5.5.4

And on all of the worked without any problems.
Published: 2013/9/25 6:31 • Updated: 2013/9/25 6:47
Michael, sorry for my complaint. Your answer came to fast!

I patched two sites at a time. One of them was working after the patch, the other one had the blank page on login. Your hint to "PHP verison" made the point. One of the sites ran on PHP 5.2.6. After switching to 5.3 everything is OK again.

So, sorry again and i hope to help other users with my experience.
Published: 2013/9/25 6:47 • Updated: 2013/9/25 6:47
I am glad that everything worked out for you, and we have again a Happy XOOPS User in you
Published: 2013/9/25 7:12 • Updated: 2013/9/25 7:12
php 5.2.. ohhh :) Is it necessary to run 5.3.. ?
Published: 2013/9/25 7:31 • Updated: 2013/9/25 7:31
Traslated
Published: 2013/9/25 7:55 • Updated: 2013/9/25 7:55
brutalicuss, you should be already on PHP 5.4.x, as it fixes many issues, and PHP 5.3 has already reached end of its life, as it has been announced on July 11th, 2013.

Sure, many hosts will use PHP 5.3.x for a little bit longer, but PHP 5.2.x should be already long time ago put in storage

So do yourself a favor and update your PHP to at least 5.3.7 - you'll increase security, performance, and compatibility of your server.
Published: 2013/9/25 8:06 • Updated: 2013/9/25 8:06
Ok Mamba, 10x again :)

Im in hostgator some really baby plan, and now i succeed only 5.3.27 via htaccess. This is the maximum for this shared plan

But anyway, the new security files working now.. at least
Published: 2013/9/25 8:49 • Updated: 2013/9/25 8:49