1
ManXP
Security Bug
  • 2003/12/9 16:58

  • ManXP

  • Quite a regular

  • Posts: 231

  • Since: 2003/8/14


How i posted message some time ago, XOOPS isn't safe CMS. First of all, one my friend (hacker) just simply copied a few files from my XOOPS webpage and he got SQL username and password. Yeah, it's so simple, because password is just plain text in PHP file. And one creator of XOOPS told me, that it's impossible to to get access to database. But this friend (hacker, how i said), told me, that it's very simple to hack any XOOPS website. He spend some time with my SQL password from PHP file and he hacked all website. Now he knows admin password, he can manage everything, and he didi it already. For example, he changed my XOOPS banners already, and it just beginning. He said me a little tip, how to fix it - it's very important to fix ALL global vars. That's it, no more info anymore he told me. so please fix it, because it's very simple to hack ANY yours XOOPS website.

P.S. Sorry for writing in this forum, i didn't see https://xoops.org/modules/newbb/viewforum.php?forum=21 first.

2
Mithrandir
Re: Security Bug

"copied a few files from your website"
which files?
how?
I mean, if I get a hold of your mainfile.php, I can hack your database, too...

What do you mean, he knows admin password? You mean that he changed it to something only he knows?

He doesn't sound like a very good friend. And he surely ain't helping us much just by talking about global vars.

I'm sure the core devs would be very interested in hearing from him regarding the vulnerability he has found and work on closing it.

3
Draven
Re: Security Bug
  • 2003/12/9 18:35

  • Draven

  • Module Developer

  • Posts: 337

  • Since: 2003/5/28


Unless YOU stored the password in a file in plan text you CANNOT get the password out of a PHP file. PHP files are parsed by the server BEFORE sending to any client. You cannot get an unparsed PHP file off a server unless you are FTP'ing, Telneting or SSh'ing into the system.

What file is it that your "friend" claims to have gotten the password from?

4
studioC
Re: Security Bug
  • 2003/12/9 18:49

  • studioC

  • Friend of XOOPS

  • Posts: 922

  • Since: 2003/12/7


if you gave access for everybody to the root of your webserver[???] what#s your domain..?


5
ManXP
Re: Security Bug
  • 2003/12/9 18:49

  • ManXP

  • Quite a regular

  • Posts: 231

  • Since: 2003/8/14


I don't know, from which file he got the password, but it's fact, that he got it. And yes, he can change everything now in my site. Because he is my friend, he didn't hacked my site totaly, he just changed a few things here (wanted to show, that it's really simple to hack this CMS and he know all the passwords). I am able to login to my web as admin and fix all him changes, because he isn't a "black hat" and he didn't take ownership of my website.

P.S. he said, that it's needed just to "make SQL injection" for hacking everything.

6
Herko
Re: Security Bug
  • 2003/12/9 18:51

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Let's see. This 'HAX0R' friend of yours got the password, changed the banners AND told you something about setting the VARS, right?

What a coinicidence! Your HAX0R friend can read these security reports! http://www.security-corporation.com/advisories-022.html

If you check (or of your HAX0R friend would have), you can see that this has all been fixed in the 2.0.5.1 patch. Not by using the suggested patches everywhere, but by doing it the best way, by those who know XOOPS best So, update your site to the latest (recommended) version, and you're allright

Next time, don't go creating a 'panic' when there's no reason to

Herko

7
ManXP
Re: Security Bug
  • 2003/12/9 19:37

  • ManXP

  • Quite a regular

  • Posts: 231

  • Since: 2003/8/14


Thanks Herko! I'll update it now and. No panic anymore

8
YourHelp
Re: Security Bug
  • 2003/12/10 0:20

  • YourHelp

  • Friend of XOOPS

  • Posts: 479

  • Since: 2003/6/9 6


Just make sure your mainfile.php is set to read only like it tells you when you do the install of XOOPS for the first time. You should be ok .. if there is a major flaw be sure to let us all know .

YH

9
onokazu
Re: Security Bug
  • 2004/1/25 7:14

  • onokazu

  • XOOPS Founder

  • Posts: 617

  • Since: 2001/12/13


Password being able to read by anyone on the same server isn't really the problem of Xoops, but an inseure configuation of PHP on your server. Most of the web apps hold DB passwords as plain text within a PHP file. To prevent others from reading in the PHP file and getting the password, you should ask your server admin to run PHP in safe_mode, or use PHP SUEXEC. XOOPS runs fine under safe mode.

10
tamerlo
Re: Security Bug
  • 2004/2/2 8:40

  • tamerlo

  • Just popping in

  • Posts: 71

  • Since: 2004/1/30


I have installed XOOPS 3 days ago and noted that with standard permission on a linux box manifile.php is readable by any user this seem a real problem and if you don't change this permission you can have this problem, to me seem the only problem.

Login

Who's Online

344 user(s) are online (259 user(s) are browsing Support Forums)


Members: 0


Guests: 344


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits