I am using XF-section 1.07 (xoops 2.2) and it appears there is a security vulnerability in modify.php. The email below is from my host, purplecloud.

Can anyone advise how I can plug this hole.

My site is www.anandamarga.org.uk, xf-section runs the vegetarian cookbook. Anonymous users are not allowed to modify the entries, and new users have to be accepted by the admins before being activated.

First off - I am going to upgrade to xfs 1.10


Quote:

Tell them to send you the proof - otherwise, you have no way of knowing what hole they are referring to. The problem here is this, they know that it happened, and maybe it acutally happened. Within the hosting environment, that means they either have some foms of trip wire running, mod_security, or snort. So, they should have the specific POST payload driven to execute.

More than likely - and I am taking a big guess - they uploaded something to the /tmp directory of the server. /tmp could be anything, so it's an example here. They then tried to execute the script. Since they (hosting company) saw it come through that specific file, they saw the specific command.

Here's what bothers me, and I am a PLESK reseller, it sounds to me that they DON'T have all of the security measures in place, and that the script was executed - probably a mailer of some sort. If youare on a Virtuosso (VPS) environment, it may also be a problem where the "script-kiddies" know the script is already on the physical server, and they are just trying to exploit it through a known PHP script that may give access to the /tmp directory.

This is probably more than you need to know, but it always bugs me that "hosting" companies tell you there was a problem, but give no proof or details...good luck!

thanks seventhseal - will ask them.
put on GIJoe's security pack just in case

I've had the same problem, with xfsection 1.10. I thought I had posted here already, but perhaps my post was deleted because it was too explicit with what the problem was

To cut a long story short, I have removed modify.php for now, and will look for an alternative articles/sections module.

But everything seems to work fine still and I can still edit articles. So...

What is modify.php for (except hackers!!) and what can't I do without it?



Thanks

The author has released several security fixes since 1.07. The current (and final) version of XFSection is 1.12a. You can find it H E R E

Yes but that 1.10->1.11 security bugfix was already commented out in modify.php in v1.10.

I was asking what modify.php is for.

Sorry/thanks

EDIT - I will install that version until I decide which alternative module to use - thank you very much.