xoops forums

subzero_x

Just popping in
Posted on: 2007/2/6 13:56
subzero_x
subzero_x (Show more)
Just popping in
Posts: 72
Since: 2006/3/16
#1

Xoops Multiple Unspecified SQL Injection Vulnerabilities

Xoops is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.

An attacker may be able to exploit these issues to modify the logic of SQL queries. Successful exploits may allow the attacker to compromise the software, retrieve information, or modify data; other consequences are possible as well.

Xoops 2.0.16 is vulnerable.

More Information Here : http://www.securityfocus.com/bid/22399/info

SubZero
XOOPSDesign.com
http://streamtools.net professional themes for serious projects!

phppp

XOOPS Contributor
Posted on: 2007/2/6 14:53
phppp
phppp (Show more)
XOOPS Contributor
Posts: 2857
Since: 2004/1/25
#2

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

The core "issue" mentioned in the report was known to XOOPS Core Dev Team and evaluated as not a real vuln.
As for the weblinks module, plz check with the author.

eric235u

Not too shy to talk
Posted on: 2007/2/6 16:38
eric235u
eric235u (Show more)
Not too shy to talk
Posts: 149
Since: 2004/12/19
#3

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

is this the link module from www.mywebaddons.com ?
where can I find the latest links module for 2.2.x?
thanks for any tips.

Anonymous

Posted on: 2007/2/6 17:14
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#4

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

I can't help thinking that this thread is unhelpful, being as it is in full public view on the XOOPS homepage........"Hey, Mr Bad Man, over here and look at this! Now you can attack everyone's XOOPS pages!"

Two words...... Protector Module.....

davidl2

XOOPS is my life!
Posted on: 2007/2/6 17:21
davidl2
davidl2 (Show more)
XOOPS is my life!
Posts: 4843
Since: 2003/5/26
#5

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

The information is also listed on the SecurityFocus site.

Anonymous

Posted on: 2007/2/6 18:00
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#6

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Quote:

davidl2 wrote:
The information is also listed on the SecurityFocus site.


True, but I was warm and happy in blissful ignorance until the point that I read it

eric235u

Not too shy to talk
Posted on: 2007/2/6 18:50
eric235u
eric235u (Show more)
Not too shy to talk
Posts: 149
Since: 2004/12/19
#7

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

hi.

Quote:
"I can't help thinking that this thread is unhelpful, being as it is in full public view on the XOOPS homepage..."


i did not see it. where? do you mean this thread is in full view and don't like talking about exploits or that this issue has already been raised on the home page?

Quote:
Two words...... Protector Module.....


i read a lengthy thread on this and it seemed that the module was a good idea but it was not manditory. XOOPS core was reasonably secure. please tell me where i'm wrong. a link to further reading would be helpful.

Quote:
The information is also listed on the SecurityFocus site.


i clicked on "solution" and it states, "Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com."

therefore i did not see a resolution to the issue we're discussing at security focus. that's why i asked the question.

vaughan

Friend of XOOPS
Posted on: 2007/2/6 19:09
vaughan
vaughan (Show more)
Friend of XOOPS
Posts: 684
Since: 2005/11/26
#8

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Quote:

i read a lengthy thread on this and it seemed that the module was a good idea but it was not manditory. XOOPS core was reasonably secure. please tell me where i'm wrong. a link to further reading would be helpful.


yes XOOPS core is reasonably secure. but reasonably is the keyword there.. XOOPS protector is an essential module if you want more security, and indeed provides other security measures than the core itself provides.

Quote:

i clicked on "solution" and it states, "Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com."

therefore i did not see a resolution to the issue we're discussing at security focus. that's why i asked the question.


there's no solution yet, because the exploit in the core isn't a valid exploit so no solution is necessary.

however the authors of weblinks module, may not even know about the exploit yet in their module, so maybe some1 could slip them a message informing them.. however i don't think the security focus stated the weblinks version number, which in itself might be an older version of that module.. but still the authors need to be aware of the possibility.

eric235u

Not too shy to talk
Posted on: 2007/2/6 19:39
eric235u
eric235u (Show more)
Not too shy to talk
Posts: 149
Since: 2004/12/19
#9

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

i'm using weblinks 1.1 on XOOPS 2.2.x by Kazumi Ono. his website no longer is active. i didn't find him on the members module here or on the dev site.

i can't read this:
http://www.hackers.ir/advisories/festival.txt

so i don't know what specific links module he means. i'm shutting my site off from anonymous users until i feel comfortable with the links module.

preachur

Just can't stay away
Posted on: 2007/2/6 21:20
preachur
preachur (Show more)
Just can't stay away
Posts: 525
Since: 2006/2/4 4
#10

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

I too am using weblinks 1.1.... some on 2.0.16 and some on 2.2+ sites. I have removed the submit function from the modules. Only admins can add links and not from the client side, only through administration. Hopefully that plugged the hole.
Magick can never be restrained, but when freely given is thrice regained!