Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
0 + 6 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
   

Re: user.php deface/exploit ( 1.3 )
by Anonymous on 2004/2/16 17:26:06

No, thanks to Kents example I am following the example of warning AND providing a patch at the same time.

Sheesh some people.
Re: user.php deface/exploit ( 1.3 )
by Jan304 on 2004/2/16 17:21:31

So thx to GIJOE you are also posting this in the forum in place of warning the creator of it (in this case the XOOPS team).

And yes, as far as I know XOOPS version 1.3 is still getting updated, but only for security releases. So please, try to contact the XOOPS team.

FOR EVERYONE: DO NOT POST SECURITY RELATED ARTICLES ON THE FORUM BEFORE THERE IS A PATCH AVAILABLE...

Thx everyone for listening... Ofcourse this is only an advice :)
Re: user.php deface/exploit ( 1.3 )
by Anonymous on 2004/2/16 15:37:03

1. Nope, hence why I was being deliberately vague but not so vague I didn't provide a patch, I was merely following the example set a few days ago by the lastposts module exploit notification and warning people. Secondly, security by obscurity etc, Ive found out about a number of exploits and fixing them by watching security advisory boards that provide explicity test cases to demonstrate security holes and how to patch them.

2. Ill check it out but I did say 1.3 and not 2.0.

So are you saying, that for XOOPS1.3 that you are still patching security defects? I thought it was now unsupported code hence you would not really be interested anyway in an exploit that could not work on 2.0 by design.

Re: user.php deface/exploit ( 1.3 )
by Jan304 on 2004/2/16 15:23:06

Ah, now it is getting clear to me. Did you know that is is preferable to notice the XOOPS team before releasing this to the public so people cannot make use of it?

And, in XOOPS 2.0.x, I'm unable to register a nickname with < or > in. You might wanne check System Admin - Settings - User Settings.
Re: user.php deface/exploit ( 1.3 )
by Anonymous on 2004/2/16 14:28:30

OK, I will be clearer, I was trying to be vague to avoid giving instructions out as to how to do it.

If the user registers their username but embeds html code into it then when they log in the html code in their username will be parsed.

Register a username called "Wibble<i>Hi Im italic</i>".

Login with it.

The reason I mentioned registration is that this is the only place an end user can enter bad data into that field.

Who's Online

394 user(s) are online (338 user(s) are browsing Support Forums)


Members: 0


Guests: 394


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits