Blind SQL Injection Exploit And PoC .... [Xoops Bug Reports]

1

Blind SQL Injection Exploit And PoC ....

2007/3/27 17:10
tuxsoul
Just popping in
Posts: 13
Since: 2006/1/10

Hi, checking in the securityfocus today report, i find one report about of sql injection:

http://www.securityfocus.com/archive/1/463916

Can developer's check this please ?

greetings

2

Re: Blind SQL Injection Exploit And PoC ....

2007/3/27 18:08
wtravel
Posts: 987
Since: 2003/8/27

This concerns the latest version available on the module repository: version 1.0, but looks like it applies to both later versions as well (1.01 and 1.02).

Exploits like these can be easily prevented by:

1. Installing the Protector module developed by GIJOE.
2. Using a different tables prefix than the default 'xoops_'.

In the meantime I informed the module developer of this.

Thanks for the alert!

Regards

EFQ directory module web site

3

Re: Blind SQL Injection Exploit And PoC ....

2007/3/27 18:11
JMorris
XOOPS is my life!
Posts: 2722
Since: 2004/4/11

Just to confirm what wtravel stated about protector....

I run a cloned and seo'd version of Smartsection that has a folder name of "articles". When I checked protector on XOOPSinfo this morning, the exact code that was indicated in that announcement was found in the log. Protector stopped it dead in it's tracks.

Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

4

Re: Blind SQL Injection Exploit And PoC ....

2007/3/27 18:22
Bender
Home away from home
Posts: 1899
Since: 2003/3/10

Download taken offline until Andy gets this fixed. If you seriously need this module now despite the possible problem you can still get it from the Sourceforge XOOPS modules.

Sorry, this signature is experiencing technical difficulties. We will return you to the sheduled signature as soon as possible ...

5

Re: Blind SQL Injection Exploit And PoC ....

2007/3/27 18:36
AndyM
Quite a regular
Posts: 296
Since: 2003/8/31

Thanks to wtravel for contacting me. I shall release an update ASAP.

For now, I recommend that people disable the printable version of articles in the prefs, and delete print.php until I have released an update.

As mentioned above, the installation of the protector module is also a good idea.

[size=x-small]Articles, AM Events and my other modules.
The Muggles Guide
PC From Scratch[/size]

6

Re: Blind SQL Injection Exploit And PoC ....

2007/3/27 22:39
davidl2
XOOPS is my life!
Posts: 4843
Since: 2003/5/26

Please see the news item: here

7

Re: Blind SQL Injection Exploit And PoC ....

2007/4/6 2:42
tuxsoul
Just popping in
Posts: 13
Since: 2006/1/10

thank's for all answers, i have find another report, this talk about the core of xoops:

http://www.securityfocus.com/bid/23229/

can check this, please

8

Re: Blind SQL Injection Exploit And PoC ....

2007/4/6 2:46
skenow
Home away from home
Posts: 993
Since: 2004/11/17

That particular notice was not about the core.

Did you also read the solution?

Quote:

Solution:
The vendor has reportedly addressed this issue in a new version. Please contact the vendor for information on how to obtain and apply the new version.

Christian Web Master Resources
New SimplyWiki release

9

Re: Blind SQL Injection Exploit And PoC ....

2007/4/6 9:57
davidl2
XOOPS is my life!
Posts: 4843
Since: 2003/5/26

Quote:

tuxsoul wrote:
thank's for all answers, i have find another report, this talk about the core of xoops:

"Core" is a custom XOOPS module, which is not generally available to users. It is nothing to do with the XOOPS Core.

This issue has been fixed already.

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Re: Blind SQL Injection Exploit And PoC ....

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}