1
Peekay
Is the Yogurt module safe to use?
  • 2010/9/19 9:44

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


I recently downloaded (from Xoops Sourceforge)

XOOPS2_mod_yogurt_3.30_RC2_marcellobr.zip

Unfortunately, I have subsequently found several posts here and also on the ICMS forum relating to a security issue.

Someone at ICMS appears to have taken over development of the module, but was surprised to see that although they are aware of the security risk (AFAIK) they have not made a secure version available for public download. The version ICMS offer for download seems to be the same RC.

If the version I have downloaded is insecure, can someone post the solution so I can fix it myself?

The original developer clearly worked hard on this module and it would be a shame not to be able to use it.
A thread is for life. Not just for Christmas.

2
trabis
Re: Is the Yogurt module safe to use?
  • 2010/9/19 13:14

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


I spent 10 minutes looking at it and found 3 $_POST variables not sanitized, I'm not a hacker but I suppose we can use CURL to Post whatever we want, including tokens.
I found 1 $_GET variable not sanitized, this one can be easily exploited.

I have looked at half of the root files only.

If you want to fix yogurt, take a look at all $_GET and $_POST and use intval for every value that is expected to be an int. If it is a string, make sure you use $myts->addslashes before passing it into a criteria or better, $db->quotestring

3
Peekay
Re: Is the Yogurt module safe to use?
  • 2010/9/19 21:48

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Many thx Trabis. I'll work through the code in each file now I know what to look for.
A thread is for life. Not just for Christmas.

4
jimmyx
Re: Is the Yogurt module safe to use?
  • 2010/9/20 4:29

  • jimmyx

  • Quite a regular

  • Posts: 338

  • Since: 2007/7/18


Peekay if you don't mind can you share the module after you have fixed it..

thank you

Login

Who's Online

350 user(s) are online (277 user(s) are browsing Support Forums)


Members: 0


Guests: 350


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits