Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
0 + 4 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
by eric235u on 2007/3/6 15:30:59

Hi. I would like to thank the XOOPS developers for participating in this forum thread and setting the record straight. One of my favorite aspects of free / open source software is the communication between users and developers in an open forum such as this. Many thanks.
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
by phppp on 2007/3/6 6:55:18

Agreed that we should respond to valid security report properly.

For this specific report, there is some story behind:
Before the "issues" were released to public, Mr Omid contacted the XOOPS Core Dev Team at very first time. The Core Team evaluated the issue very quickly and responded him immediately. Both Skalpa and me stated clearly in our emails to him that we don't think it a valid vulnerability, it might be taken care of in future a version of XOOPS but it is not necessary to make any "patch" or "change" objectively for it at this moment.
However, I don't know why the report still got spreaded although the XOOPS Core Team had made clear response to the original discoverer.
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
by irmtfan on 2007/3/6 4:45:18

this is a bit off topic sorry.
there is no official rules for using internet in iran no department for internet&computer crimes either ( as far as i know). so many people called themselves a "Security Team" or "Hackers" without enough backgrounds in internet or security then post some True and FAKE reports everywhere they can especially in reliable security sites (forums or mailing lists) to increase their ranks.

back to topic i totally agreed with you and already send an email to security focus about.
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
by giba on 2007/3/5 16:45:58

Very, very thanks AndyM.

This is my wish for all users and support XOOPS in world.
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
by AndyM on 2007/3/5 16:28:59

phppp, if no one has done so yet, it would be worth one of the devs to write to security focus to update the report. It would both allay people's fears and be good for XOOPS's, showing that you take these reports seriously, check them out and respond to them.

Who's Online

233 user(s) are online (185 user(s) are browsing Support Forums)


Members: 0


Guests: 233


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits