I realize this new theme gallery is still in beta, but after some searching around the site I can't find any info on the progress or anything at all for that matter.

All the files in the gallery are empty zip files, which there are some nice themes in there as well. Specifically some of the admin themes.

Are these themes going to be fixed so they aren't broken links anytime soon?

I've been going back and forth all night trying to change the permissions on my newbb forum, but everytime I view the page its nothing but a blank white page. I change the admin theme from oxygen to either legacy or default and the page will display.

Not that I go around changing permissions on my forum very often, but it is kinda annoying to have to change the theme in order to get it to work.

Has anyone else noticed this or is it just me? Better question would be, is there a fix for this?

Wow! That easy? Thanks a lot!

I am using extCal just to display a mini-calendar in my sidebar and nothing more. However depending on your search term it will show up in the search results for the site. I would rather it not show up at all and only work as a calendar that sits there and looks pretty.

Any idea on how to do this?

You know those modules that you want like 1,000 entries in it, for example a links section, and you have to sit there and enter every single one using the submit.php page?

I have found a better way, using a program (called Navicat) that lets me export my SQL table into an excel file.... or place all my data into an excel file then import it. Problem is, that it only imports by deleting the old table then making a new one. Causing whatever uses that table to be unavailable for the time period you need to upload the new database. This program also limits me to using 255 characters per cell. For a links section, its not a big deal, but for forum entries or blog posts it can create a problem.

I am wondering if anyone uses something similar. I would absolutely love something that functions like excel but works directly with the database online so there is no upload/download crap. Another annoying feature with Navicat is that it doesn't include the column names in the table so you have to type in each name manually before you can import it.

For links and downloads modules this program is great..., but I'm still looking for a little more control.

Awesome! Thanks!!!!

Quote:

There is a function called render but there are no HTML tags in it.

From: Lists <lists_at_senseofsecurity.com.au>
Date: Fri, 31 Jul 2009 16:05:46 +1000


XOOPS Multiple Cross-Site Scripting Vulnerabilities - Security Advisory - SOS-09-005 Release Date. 31-Jul-2009
Vendor Notification Date. 15-Jun-2009
Product. XOOPS
Platform. Independent
Affected versions. 2.3.3 (verified), possibly others Severity Rating. Medium
Impact. Cookie/credential theft, impersonation, loss of confidentiality Attack Vector. Remote
Solution Status. Vendor patch
CVE reference. Not yet assigned

Details.

XOOPS is a content management system written in PHP. During an application penetration test Sense of Security identified that Input passed to the "op" parameter of viewpmsg.php, and in the query string of user.php are vulnerable to Cross-Site Scripting vulnerabilities. This occurred as a result of the application not properly filtering HTML tags which allowed malicious JavaScript to be embedded. When input is incorrectly validated and not properly sanitised and then displayed in a web page, attackers can trick users into viewing the web page and causing malicious code to be executed.

Proof of Concept.

http://IP/xoops-2.3.3/htdocs/modules/pm/viewpmsg.php?op='"><script>alert('vulnerable')</script><link id='

http://IP/xoops-2.3.3/htdocs/modules/profile/user.php?"><script>alert('vulnerable')</script>

Solution.

Vendor patch

Discovered by.

Sense of Security

About us.

Sense of Security is a leading provider of IT security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application security consultancy and trusted IT security advisor to many of the countries largest organisations.

Sense of Security Pty Ltd

Level 3, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W:http://www.senseofsecurity.com.au
E: info_at_senseofsecurity.com.au




The latest version of this advisory can be found at:

http://www.senseofsecurity.com.au/advisories/SOS-09-005.pdf

Other Sense of Security advisories can be found at:

http://www.senseofsecurity.com.au/research/it-security-advisories.php Received on Jul 31 2009

Wow..., I have this same issue and this is in the latest 5 search results?

Any chance someone out there has a fix on this yet and I'm just not seeing it?

Answered my own question.

Change submit1.php, Line 239:



to



Simple hack, and now I feel like an idiot! Not as much of an idiot if someone else answered, but still an idiot.