1
stefan88
Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/26 9:50

  • stefan88

  • Community Support Member

  • Posts: 1086

  • Since: 2004/9/20


Quote:
Vulnerability Summary CVE-2008-3296
Original release date: 7/25/2008
Last revised: 7/25/2008
Source: US-CERT/NIST


Overview

Directory traversal vulnerability in modules/system/admin.p h p in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.


Found here: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3296
..

2
trabis
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/26 10:04

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


I don´t see how this could be exploited unless th hacker is a webmaster or a module admin. The first thing the script does is to check is it is a XOOPS user and if it has admin privilages. Anyway, I would prefer to sanitize fct just to make sure I don´t have a malicious admin among my crew, lol. But hey, if there is a malicious admin fixing this would be the less important of all things. In 90%(maybe 90,1% not sure, ahah) of the cases, the module developers don´t care much in protecting their modules administration so, a bad module admin can compromise your site exploting admin area of the module he has admin access.

I might be wrong eheh, but I consider this a very lazy exploit.

3
skenow
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/26 13:49

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


More information is found here - http://www.securityfocus.com/bid/30330/info

4
phppp
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/26 14:48

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


The "vuln" has been reported and discussed a couple of times and the conclusion made by XOOPS dev team at the moment was that it is not an valid vuln thus won't fix.

However, to keep XOOPS elegant, the code will definitely be improved in future releases.

5
skenow
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/26 16:14

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


If you are like me and do not want to dismiss this so readily or wait for a more elegant solution, you can edit modules/systems/admin.php and change the following lines at the beginning of the file:

if (isset($_POST['fct'])) {
    
$fct trim($_POST['fct']);
}
if (isset(
$_GET['fct'])) {
    
$fct trim($_GET['fct']);
}


to this:

if (isset($_POST['fct'])) {
    
$fct preg_replace('/(;|||`|>|<|&|^|"|'."n|r|'".'|{|}|[|]|)|()/i'''trim($_POST['fct']));
    
$fct '"'.preg_replace('/$/''\$'$fct).'"';
}
if (isset(
$_GET['fct'])) {
    
$fct preg_replace('/(;|||`|>|<|&|^|"|'."n|r|'".'|{|}|[|]|)|()/i'''trim($_GET['fct']));
    
$fct '"'.preg_replace('/$/''\$'$fct).'"';
}


Thanks to Vaughan for this solution!

6
sarahmx
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/27 8:42

  • sarahmx

  • Quite a regular

  • Posts: 381

  • Since: 2007/10/28


i follwed the solution but after i did that i can't click any link in the admin

in IE i received object required errors

7
Mamba
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/27 21:15

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


phppp is coming with a solution that will work in XOOPS.

We're in process of testing it - the 2.0.18.2 is coming soon.
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

8
McDonald
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/28 9:43

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Is this vulnerability affecting XOOPS 2.0.x only or XOOPS 2.2.x also?

If it is affecting XOOPS 2.2.x, is it possible to release a patch for this?

9
Mamba
Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p
  • 2008/7/28 13:25

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


Quote:
i follwed the solution but after i did that i can't click any link in the admin

in IE i received object required errors

Please test the 2.0.18.2 RC, which should properly fix the problem.
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

Login

Who's Online

417 user(s) are online (307 user(s) are browsing Support Forums)


Members: 0


Guests: 417


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits