11
jcweb
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 22:04

  • jcweb

  • Quite a regular

  • Posts: 253

  • Since: 2005/4/25


Are you using weblinks or mylinks?

jcweb

12
irmtfan
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/7 4:38

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


i cant find this file in weblinks or mylinks module.
mylinks has not a "class" category and weblinks 1.13 has not table_broken.php or weblinks_table_broken.php?
IMHO this report in a mailing list is not important to consider

13
MadFish
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/7 5:22

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


I couldn't find it either.

14
jcweb
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/7 6:42

  • jcweb

  • Quite a regular

  • Posts: 253

  • Since: 2005/4/25


Look here from the xoopsversion of mylinks

$modversion['name'] = _MI_MYLINKS_NAME;
$modversion['version'] = 1.10;
$modversion['description'] = _MI_MYLINKS_DESC;
$modversion['credits'] = "Kazumi Ono( http://www.mywebaddons.com/ )The XOOPS Project";
$modversion['help'] = "mylinks.html";
$modversion['license'] = "GPL see LICENSE";
$modversion['official'] = 1;
$modversion['image'] = "images/mylinks_slogo.png";
$modversion['dirname'] = "mylinks";


So whats up, is it a security hole or not?
jcweb

15
davidl2
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/7 7:56

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


The module reffered to is WEBLINKS

16
wizanda
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/7 8:35

  • wizanda

  • Home away from home

  • Posts: 1585

  • Since: 2004/3/21


Ok then yesterday was going to post, please don't post on this thread as don't like seeing things like it, that make XOOPS look worse....
yet point remains old web-sites contain information like this also, I have found stuff like it using Google Search also...
So point is are all of these sites that do that, are they getting feed back off us, to inform them that XOOPS doesn't have the problem?
We need to make a private forum for members only to make sure across the web things like it are reported....yet then not shown to search engines.
As though I found this same sort of report months ago, noticed and checked XOOPS had dealt with it, yet on sending an email....wasn't sure on posting on here publicly to tell everyone, so search engines didn’t see more errors like this.....


(Jcweb) The point in the question, if that is the part that is security risk is nope, that is for where XOOPS tell it self about it’s self…
the point they are saying in the error is that if the form that submits data, doesn’t use text sanitizer on submit, then people can access MySQL And in that you would also be needing access password to input anything across tables in MySQL

17
ohwada
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/3/4 13:46

  • ohwada

  • Just popping in

  • Posts: 28

  • Since: 2003/11/15


I am author of Weblinks.

I confirm the pointed out code have SQL Injection.
But, only the module administrator can use this code.
I dont assume that the module administrator attack own managed server.

Also, this code was corrected in V1.20 or later.
Current stable is V1.31

18
davidl2
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/3/4 13:47

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Thank you - we've a news item for 1.31 - which I was waiting to hear from you before releasing.

I can do this now

19
giba
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/3/5 10:14

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


One question.

This release fix it ?

Release of Weblinks 1.31

20
giba
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/3/5 10:17

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


I am reporting XOOPS core team Here

http://www.securityfocus.com/archive/1/459150

Xoops Multiple Unspecified SQL Injection Vulnerabilities

Bugtraq ID: 22399
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Feb 05 2007 12:00AM
Updated: Feb 05 2007 11:08PM
Credit: omid@hackers.ir has been credited with the discovery of these vulnerabilities.
Vulnerable: XOOPS Xoops 2.0.16 core

Attention please.

Waiting anunciament official core, please.

Login

Who's Online

281 user(s) are online (160 user(s) are browsing Support Forums)


Members: 0


Guests: 281


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits