1
ali44
Security hole in Xoops Poll??
  • 2004/10/20 23:46

  • ali44

  • Just popping in

  • Posts: 86

  • Since: 2004/5/24


Somehow a poll is created on my website, and it shows on the frontpage but without any voting option, just the question. I have disactivate the poll for security purpose but I suspect there's a backdoor way for someone to create a poll without admin access.

Also in chat applet, the name of the applet was changed to "hackthisshit" and everyone name was change to "hackthisshit#" with # being random number if there's more then one chatter.

2
brash
Re:Security hole in Xoops Poll??
  • 2004/10/21 2:28

  • brash

  • Friend of XOOPS

  • Posts: 2206

  • Since: 2003/4/10


That does not sound good, and in fact sounds like more thatn just your Poll module has been comprimised . What OS is your server running, and what permission have you got setup for your site?

3
ackbarr
Re:Security hole in Xoops Poll??

Though we cannot rule out a security hole, before we can say that the hole is in xoopspoll, you need to look at your web site access logs for any suspicious requests. Also, please ensure that you are running the latest version of XOOPS (currently 2.0.7.3) to ensure that all known issues have been patched. If this is a new hole in xoopspoll, we will want to close it as soon as possible, so please respond with your findings by contacting skalpa, onokazu, or myself directly.

Thank you!

4
ali44
Re:Security hole in Xoops Poll??
  • 2004/10/21 4:13

  • ali44

  • Just popping in

  • Posts: 86

  • Since: 2004/5/24


I'm updated with 2.0.7.3 couple week after the release. Running Linux, permission? There're many folders and permission. phppp has been helping me with the site and quite familiar with it but I haven't report this to him as I haven't seen around.

5
ali44
Re:Security hole in Xoops Poll??
  • 2004/10/21 17:03

  • ali44

  • Just popping in

  • Posts: 86

  • Since: 2004/5/24


Possibly a bug because I notice that the poll question is related to the thread in the forum (newbb2) I suspect that somehow a user create a poll or thread on the forum it gets carry over to the poll. I'm pretty sure this is the case because poll keep being created even I disactivated and a lot of poll questions and relates to the forum.

6
ackbarr
Re:Security hole in Xoops Poll??

that's entirely possible. We need to bring this to the attention of the newbb dev team and see if this is something they know about.

7
Speed
Re:Security hole in Xoops Poll??
  • 2004/10/21 19:05

  • Speed

  • Quite a regular

  • Posts: 310

  • Since: 2004/5/18


NewBB2 uses the standard poll module.

NewBB2 devs have stated that polls created in forums are supposed to show up in poll module. This is working as designed. They made it this way at the request of users.

In the mean time, other users have requested a means of limiting this function now that it has been implemented and control of front page polls has shifted from the web admin to the users.

If you would like to see this functionality changed, please let the devs know. It will likely require changes to the standard poll module.

In the interim, if you allow users to post polls in forums you can disable them as they appear via the admin functions. I've chosen to disable forum polls myself while I decide whether I want to show polls at all on the front page anymore due to this big change in poll functionality.

8
tripmon
Re:Security hole in Xoops Poll??
  • 2004/10/21 20:27

  • tripmon

  • Module Developer

  • Posts: 462

  • Since: 2004/2/28


You need to disable anon users from being able to create polls in the newbb2 admin area for the forum in question.
(where the group permissions are inside newbb admin, you will see create polls, uncheck it for everyone but webmasters).


I have yet to seriously investigate (as it's an RC) but my bet is that if you hit your site as ANON, and create a poll in the forum, it will create a poll, but when you try and view that poll it will appear with no questions or description.

Even while I am logged in as admin, every poll I create from inside the forum displays this behaviour. If I admin the polls module directly, I can see that the record was created (via create poll in newbb) without all data. While in the poll admin, I can add the missing data back to the poll and it will display correctly (at least in the polls module, have not tested to see if newbb2 will then display correctly as I just disabled polls in newbb until the next relelease).

I don't think there is so much a security issue, as something buggy in the poll functions (it has been noted that the poll section in newbb2 needs more work).

Try creating an anon poll via newbb and see if my predictions are correct. At least it should give you some peace of mind regarding newbb if nothing else.

The chat is a bit nasty though... see if it is calling the text sanitizer anywhere, if not you may be getting script injections.

GL

Login

Who's Online

285 user(s) are online (182 user(s) are browsing Support Forums)


Members: 0


Guests: 285


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits