1
tuxsoul
Blind SQL Injection Exploit And PoC ....
  • 2007/3/27 17:10

  • tuxsoul

  • Just popping in

  • Posts: 13

  • Since: 2006/1/10


Hi, checking in the securityfocus today report, i find one report about of sql injection:

http://www.securityfocus.com/archive/1/463916

Can developer's check this please ?

greetings

2
wtravel
Re: Blind SQL Injection Exploit And PoC ....

This concerns the latest version available on the module repository: version 1.0, but looks like it applies to both later versions as well (1.01 and 1.02).

Exploits like these can be easily prevented by:

1. Installing the Protector module developed by GIJOE.
2. Using a different tables prefix than the default 'xoops_'.

In the meantime I informed the module developer of this.

Thanks for the alert!

Regards

3
JMorris
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/3/27 18:11

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Just to confirm what wtravel stated about protector....

I run a cloned and seo'd version of Smartsection that has a folder name of "articles". When I checked protector on XOOPSinfo this morning, the exact code that was indicated in that announcement was found in the log. Protector stopped it dead in it's tracks.
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

4
Bender
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/3/27 18:22

  • Bender

  • Home away from home

  • Posts: 1899

  • Since: 2003/3/10


Download taken offline until Andy gets this fixed. If you seriously need this module now despite the possible problem you can still get it from the Sourceforge XOOPS modules.
Sorry, this signature is experiencing technical difficulties. We will return you to the sheduled signature as soon as possible ...

5
AndyM
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/3/27 18:36

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


Thanks to wtravel for contacting me. I shall release an update ASAP.

For now, I recommend that people disable the printable version of articles in the prefs, and delete print.php until I have released an update.

As mentioned above, the installation of the protector module is also a good idea.

6
davidl2
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/3/27 22:39

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Please see the news item: here

7
tuxsoul
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/4/6 2:42

  • tuxsoul

  • Just popping in

  • Posts: 13

  • Since: 2006/1/10


thank's for all answers, i have find another report, this talk about the core of xoops:

http://www.securityfocus.com/bid/23229/

can check this, please

8
skenow
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/4/6 2:46

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


That particular notice was not about the core.

Did you also read the solution?

Quote:
Solution:
The vendor has reportedly addressed this issue in a new version. Please contact the vendor for information on how to obtain and apply the new version.

9
davidl2
Re: Blind SQL Injection Exploit And PoC ....
  • 2007/4/6 9:57

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Quote:

tuxsoul wrote:
thank's for all answers, i have find another report, this talk about the core of xoops:


"Core" is a custom XOOPS module, which is not generally available to users. It is nothing to do with the XOOPS Core.

This issue has been fixed already.

Login

Who's Online

272 user(s) are online (230 user(s) are browsing Support Forums)


Members: 0


Guests: 272


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits