the form seems to be no longer vulnerable to the previous attack =D , but i have not tryed other methods yet.

Hi everybody

There is a new release of the News Module: 1.64

I'm going to check if the vuln has been fixed and report here

happy holidays

The way you reach the evil site does not regard security holes, you could get an evil link in a lot of ways, such as private messages or by surfing the web.

I have not tested prior versions but if that form is not csrf safed with a token, then they're affected by this problem too

In my opinion there is not a 100% effective solution in php.

A token will raise defenses against this kind of attacks but theoretically the attacker could guess the right token.

There are also other ways to (try to) prevent csrfs: you could check the referrer which tells you where the requests come from. If requests come from your website's domain then you accept them , otherwise you exit() :)

I have to tell you that even the referrer can be """""hacked""""" so even this prevention is not 100% effective.

If i had to choose between token and referrer prevention i would choose the token :)


I suggest you this articlehttp://shiflett.org/articles/cross-site-request-forgeries

Hi and sorry for delay and for my not clear post.

First of all i think that a CSRFs Token would be Very helpful, even though it doesnt provide a 100% effective prevetion it raises attack's complexity with a minimum effort.

Here's my attack:
http://www.mediafire.com/?sharekey=68395ad6c66659b15a3d773badf21430e04e75f6e8ebb871

I provide files:
Evilpage.html is the page with the hidden frame, if you have an active administration session on a XOOPS site and then you load the evil page with your browser , it will silently post a new content on you news module.

xoopsnews.html is a copy of the form (provided by the news module). This form has to be adapted to your XOOPS installation because my script refers tohttp://localhost/xoops and that is my installation but maybe not yours.

All you have to do to try is
1) log in to your XOOPS site
2) open evilpage.html
3)wait 5 secs
4) open you XOOPS admin page (in particular news module administration)


I strongly suggest the news1.63 team to insert a csrf token

Hi everybody, let me explain a bit how it works.

You are right when you say that only regisered users with publishing rights have access to that link but here's the problem.

The submission form is NOT protected with a token or something preventing CSRFs. Infact i could write an evil html page with a hidden form that submits the form automatically when someone loads it in his browser (via the onload atrribute inside the body tag).

Now imagine that you're the admin of your XOOPS and news1.63 powered site, if i send you a link to my evil page and you open that link while your XOOPS session is not expired on the server, you will unconsciously send post data to your site.