Hi,

does anybody know serious this is? I was a little bit irritated that they say XOOPS 2.5.3 is not vulnerable but XOOPS 2.5.3a.

Are the problems described there solved in 2.5.4?

Thank in advance & kind regards
markesh / karim

There is no 2.5.3a

The bug was fixed on 2.5.2, I think they mean 2.5.1.

It was related with the preview box that was not using tokens.

I still have a number of sites running 2.5.1. I don't remember seeing a bulletin on XO about a security vulnerability?.

You can't just release a new version and hope users will upgrade. Getting a version installed where modules all work is a challenge enough as it is, so you can never expect users to automatically upgrade just for the hell of it.

Xoops attitude to security issues has always been 'just upgrade'. But when you do, the upgrade has numerous other changes in it that break your site.

If a security issue is discovered in a version of Xoops, you should make it a headline news story on XO so that users are aware of it and release a patch. Just one file. Just one line of code if necessary.

There's nothing to be ashamed of by saying 'oops... we've spotted a problem, here's how to fix it'. You could PM everyone if you wanted to keep it a secret.

I look forward to fixing my 2.5.1 sites (that's a hint).

Here is the revision, you may want to look for the differences and apply the patch yourself:
http://xoops.svn.sourceforge.net/viewvc/xoops?view=revision&revision=7349

The vulnerability was announced loudly in the xoops 2.5.2 release. I'm not sure if we have the resources to provide patches for all previous version of xoops.

May I know what is stopping you from upgrading 2.5.1 to 2.5.4 ? From 2.5.1 is pretty forward and very low risk. Is there any particular problem that you are waiting to be addressed?

Many thx Trabis.

I do periodically update Xoops, but on commercial sites I plan this for a weekend and set aside some time in case I need to troubleshoot any problems it might cause with older modules.

With security issues, I would much prefer a quick fix.

Having said this, Xoops has had very few issues in the time I have been using it and kudos to yourself and the rest of the core team for that. It's just that if users are happy with their version of Xoops (2.5.1 seems fine to me) they may not read read the release notes of the upgrade for some time. That's why I think it would be better if security issues were announced separately along with a code fix.

The main problem is the same, users don't need the announcements :(

If we could have this information displayed on the admin page it would be great.

I also agree that when a site is running well, there is no reason for upgrading.
I have upgraded my biggest site one week ago and it was still using 2.3.2b. I did it because I could not use my recent modules and because of the anti spam protection of the new protector module. I was not really worried with security issues. Many of them are solved just by using protector, the others that are not, usually require the hacker to be logged in and to force a user to click on a malicious link, etc. I was only hacked one time and that was because I used a poor ftp program that leaked my password.

Btw,
the main problem I detected was not the upgrade to 2.5.4, but the upgrade I did on php version. Moving to php 5.3 broke some of the modules (but was easy fixed by replacing '=& new' with '= new').

Thanks for your information and calming me down

I've sent an email to the securityfocus guys referring them to this thread. Unfortunately they didn't answer, but they changed their infos on the page mentioned above.

hth
markesh / karim