1
Defkon1
Exploit on xoops 2.3.3
  • 2009/6/22 7:16

  • Defkon1

  • Not too shy to talk

  • Posts: 151

  • Since: 2005/1/27


I don't know if this is the correct forum...

Quote:

Nibble Security discovered a remote arbitrary file retrieval in XOOPS version
2.3.3, which could be exploited to read system or XOOPS configuration files
("mainfile.php").


http://www.milw0rm.com/exploits/8974

2
wishcraft
Re: Exploit on xoops 2.3.3

Thanks defcon..

It will be patched in 2.3.4 which is only a few weeks away.. Just having an ANTi-RSI break.. Because There is still more typing to do!

We where aware of this around a week ago before you forum posted it.. Lucky it is one of those conditional errors.. That is something that doesn't work on all installations.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

3
frankblack
Re: Exploit on xoops 2.3.3
  • 2009/6/22 8:26

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


Quote:
It will be patched in 2.3.4 which is only a few weeks away


Cough... And in the meantime? Any workaround? I assume that any protector is concerned?

Interesting timetable. Who was contacted?
17/03/2009 - Vendor notified.
17/03/2009 - Vendor response.
28/05/2009 - Vendor re-contacted (no answer).
16/06/2009 - Public disclosure.

Three month ago is quite a long time...

4
ghia
Re: Exploit on xoops 2.3.3
  • 2009/6/22 11:54

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
If register_globals is enabled and magic_quotes_gpc disabled,
In principle, no one has a site with these settings (see your phpinfo()).
And if they have, they should take measures to change it immediatly (and not only because this 'exploit') or move on to a decent hoster.

5
frankblack
Re: Exploit on xoops 2.3.3
  • 2009/6/22 12:57

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


Quote:
In principle, no one has a site with these settings


In principle I should be rich and famous. But I am not, so I guess there are php settings like this out there.

So you people with bad settings (or people who do not know that they have bad settings): come back in a few weeks and get your update - if you are caught in the meantime: bad luck.

Sounds offending, but it is not meant for your ears. I find it strange, that after 2 1/2 month the vendor was re-contacted but did not reply. Even if this is a minor threat and XOOPS has not so much "personnel", everything should be done to secure the system. Just my POV.

6
ghia
Re: Exploit on xoops 2.3.3
  • 2009/6/22 14:02

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


No, don't exagerate! This is a very, very minor threat.
It's not because you could be strucked by lightning, that you would walk around in a Faraday cage.
Some people are in much greater peril by eg not following the instructions for the install of Protector.

7
Mamba
Re: Exploit on xoops 2.3.3
  • 2009/6/22 14:53

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


Quote:
Sounds offending, but it is not meant for your ears. I find it strange, that after 2 1/2 month the vendor was re-contacted but did not reply.

I'll take a blame for it. My PC crashed and before I was able to work on it again and restore data, I had over 1,000 emails in my inbox, and unfortunately, it the "re-contacted" email was one of those emails that I didn't have a chance to read to respond in time.

Quote:
Even if this is a minor threat and XOOPS has not so much "personnel", everything should be done to secure the system. Just my POV.


And I totally agree with you. You can trust me that the team does what it can to keep XOOPS the safest CMS out there. The issue will be addressed in 2.3.4 release.

In addition to Ghia's comments, GIJoe told us that in order for a hacker to take advantage of this exploit, the XOOPS_TRUST_PATH would have to be inside the Document Root. We've always recommended our users to place XOOPS_TRUST_PATH outside of the Document Root.

But as I said, the issue will be addressed in 2.3.4
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

8
frankblack
Re: Exploit on xoops 2.3.3
  • 2009/6/22 14:54

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


I don't want to exaggerate anything and I go out with the dog at lightning. But I pity those who to belong to the minority which may be concerned by this very, very minor threat. Being hacked is not a good experience and I made this experience already. I just wanted to point out that three months are a very long time to publish a workaround in the meantime.

Feel save with the Protector? Sorry, no.

9
ghia
Re: Exploit on xoops 2.3.3
  • 2009/6/22 15:26

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Feel save with the Protector? Sorry, no.
For good security, you may never feel safe.
But, feel safer with properly installed Protector? Definitly!

10
trabis
Re: Exploit on xoops 2.3.3
  • 2009/6/22 17:43

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Quote:

frankblack wrote:
Feel save with the Protector? Sorry, no.


"Bug" is in protector, not core. Actually, It is not a bug because protector is not meant to be in public directory.
If you show this as a "bug" to GIJOE he will laugh at your face.

Login

Who's Online

290 user(s) are online (122 user(s) are browsing Support Forums)


Members: 0


Guests: 290


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits