Re: WF-Sections Security Hole [Module troubleshooting] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

WF-Sections Security Hole

2005/1/27 15:43
Rhomal
Quite a regular
Posts: 274
Since: 2004/10/5

Today with the help of my fellow co-workers we discovered a very obvious expliot in the latest WF_Sections. To bypass persmissions by group to view a document all one must do is in the address bar put the article id # they wish to view.

For example, if someone knew a article 13 existed but did not have rights to view it, all someone needs to do is put this in the address bar:

http://x.x.x.x/modules/wfsection/article.php?articleid=13

This is making me totally rethink wf-sections both for my company internal site and my own website. It seems rather useless from a security standpoint.

2

Re: WF-Sections Security Hole

2005/1/27 16:23
pnppcs
Just popping in
Posts: 55
Since: 2005/1/25

Don't give up on a great module too quickly. Maybe the developers weren't aware of this issue and you have alerted them to a great bug fix that you should be thanked for.

I personally don't use wf-sections but only because I don't have the use for it, but from what I can see it is a very good module.

Give the developers some time to fix this issue and then you won't have worry about this exploit. You have made the 1st step by reporting it even if it is in a negative manner you have done the XOOPS community a great service.

Cheers,
Marty.

3

Re: WF-Sections Security Hole

2005/1/27 16:34
Rhomal
Quite a regular
Posts: 274
Since: 2004/10/5

Quote:

pnppcs wrote:
Don't give up on a great module too quickly. Maybe the developers weren't aware of this issue and you have alerted them to a great bug fix that you should be thanked for.

I personally don't use wf-sections but only because I don't have the use for it, but from what I can see it is a very good module.

Give the developers some time to fix this issue and then you won't have worry about this exploit. You have made the 1st step by reporting it even if it is in a negative manner you have done the XOOPS community a great service.

Cheers,
Marty.

I just went to the wf-projects site and their source forge site. There is a huge list of known outstanding bugs from as far back as last summer that have not been addressed. I don't see the point in adding another one to a list that apprently is not being worked on.

Aside from AMS (which I already use for my front page news) can someone suggest a good replacement for WF-scetions?

Thanks for any input.

4

Re: WF-Sections Security Hole

2005/1/27 16:49
LazyBadger
Home away from home
Posts: 1187
Since: 2004/6/7 9

Quote:

Aside from AMS (which I already use for my front page news) can someone suggest a good replacement for WF-scetions?

Maybe, SmartSection? It's not so complex, but it's good start

5

Re: WF-Sections Security Hole

2005/1/27 16:55
Rhomal
Quite a regular
Posts: 274
Since: 2004/10/5

Quote:

LazyBadger wrote:
Quote:

Aside from AMS (which I already use for my front page news) can someone suggest a good replacement for WF-scetions?

Maybe, SmartSection? It's not so complex, but it's good start

Thanks for the input.. its is updated fairly regulary for bugs and such? I dont want to get caught with abandonware again.

6

Re: WF-Sections Security Hole

2005/1/27 18:10
rcjohnson
Not too shy to talk
Posts: 187
Since: 2004/7/23

When I first started using wf-sections, that was one of the first things I found. So I started to put together a url check to ensure that the page being accessed came from a valid link.

Then I realized that was way to cumbersome, so I just gavae up on it as well.

The last I heard from wf-projects, was that the wf-sections was goign to be coded in a differetn language. But as you said, there have not been any updates for months.

- Ryan

7

Re: WF-Sections Security Hole

2005/1/27 18:48
Rhomal
Quite a regular
Posts: 274
Since: 2004/10/5

Is there a way to make both AMS my news AND article module?

That may be a fix perhaps?

8

Re: WF-Sections Security Hole

2005/1/27 19:18
Peekay
XOOPS is my life!
Posts: 2335
Since: 2004/11/20

I am dissapointed to read about this, because I confess I like the look of WF-Sections for articles. I was going to use it for a University organisation site. It lets authors attach images, write their own article summary and have their photo displayed in the article header. Plus, readers can see an author bio presented in a block next to the article. Professors (in fact most writers) love that kind of stuff!.

I would like to use it, but as Rhomal points out, it's no use if bugs are not fixed promptly. I look forward to seeing some feedback from the WF dev team on this.

9

Re: WF-Sections Security Hole

2005/1/27 19:20
Bender
Home away from home
Posts: 1899
Since: 2003/3/10

About the sf trackers ... true

Being abandonware ... wrong. believe me i would have left the project long time ago then instead of wasting time there.

being written in a different language ... no. but a complete new codebase because of a rewrite for 3.x series. True.

However ... just some notes. Don´t want to start a discussion about this. Good luck with whatever you choose to replace wf-sections on your site.

Maybe you will return one day - maybe not ... the choice is out there.

10

Re: WF-Sections Security Hole

2005/1/27 19:31
Bender
Home away from home
Posts: 1899
Since: 2003/3/10

That security hole is fixed in 2.07 beta1 - yes i know there is no upgrade script yet from any old version.

But it wont be there for those who begun with 2.07 and will be no longer there once we have the script for you to upgrade from 2.01.

However as rcjohnson already realized it´s not a quick to fix issue for 2.01.

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/16 2:02 Mamba
Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/14 20:34 hnn_gerd
Re: NewBB v 5.1.0 b 6

3/7 12:07 Mamba
Re: NewBB v 5.1.0 b 6

2/23 2:57 Mamba
NewBB v 5.1.0 b 6

2/17 18:57 spierrard
Re: XOOPS 2.5.11 search user is not working

2/14 13:11 Mamba
Re: oledrion

2/14 11:29 Mamba
Re: oledrion

2/13 15:22 oswaldo
Re: oledrion

2/12 19:20 Mamba
Re: oledrion

2/12 16:02 oswaldo

Who's Online

194 user(s) are online (123 user(s) are browsing Support Forums)

Members: 0

Guests: 194

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}