xoops forums

A-dog

Just popping in
Posted on: 2003/12/10 23:18
A-dog
A-dog (Show more)
Just popping in
Posts: 19
Since: 2002/1/25
#1

Security Focus shows Xoops flaws - is 1.3.10 safe?

I noticed at the website http://www.securityfocus.com
if you do a search for XOOPS it returns many of the fixes
we've seen lately.. well I've not been around here much lately but I was wondering if any of the devs can tell me if 1.3.10 is safe from cross-scripting attacks as found in recent times? I know that version contained many fixes of the sort but what about recent discoveries? I've had my front page replaced recently by hackers but they're cooperating with help..as any good hacker would. Thank God.

LMK!
A-Dog

Draven

Module Developer
Posted on: 2003/12/10 23:26
Draven
Draven (Show more)
Module Developer
Posts: 337
Since: 2003/5/28
#2

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

Please review the documents on that site before jumping to conclusions and scarying the community.

Quote:
not vulnerable XOOPS Xoops 2.0.5 .1

http://www.securityfocus.com/bid/9166

UPGRADE!!!

Mithrandir

XOOPS is my life!
Posted on: 2003/12/10 23:54
Mithrandir
Mithrandir (Show more)
XOOPS is my life!
Posts: 6320
Since: 2003/6/21
#3

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

Is it possible to get a bit more information as to what exactly was the vulnerability (since it is fixed and patch been out for a while, this shouldn't be too dangerous) so we can avoid opening up for the same vulnerabilities in our modules?

mvandam

Quite a regular
Posted on: 2003/12/11 0:57
mvandam
mvandam (Show more)
Quite a regular
Posts: 253
Since: 2003/2/7 2
#4

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

I'll just make a quick comment here as there is tons of info on the net about it, and another thread recently touched on some of this:

https://xoops.org/modules/newbb/viewto ... hp?topic_id=14580&forum=4

In general, the vulnerabilities posted about web scripts include problems like SQL injection vulnerabilities, or 'cross-site scripting' (XSS) vulnerabilities.

The simple solution to SQL injection is make sure you NEVER use $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS in your queries. These variables are classified as UNTRUSTED data because they are coming from an outside source. ALWAYS wrap untrusted data inside $xoopsDB->quoteString() to make it safe to use inside queries.

The simple solution to XSS vulnerabilities is to always pass untrusted data through the function htmlspecialchars before displaying it on the page. This will prevent any malicous HTML or javascript from affecting other users.

I'm sure I'm oversimplifying a lot and I am by no means an expert in this area, but these two steps account for the vast majority of problems. You might want to read up a little on these kinds of attacks in general... i.e. how they are done, why they are dangerous, and how to prevent them.

Hope this helps

A-dog

Just popping in
Posted on: 2003/12/12 2:18
A-dog
A-dog (Show more)
Just popping in
Posts: 19
Since: 2002/1/25
#5

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

I realize there is a fix for the latest version.. but I'm not upgrading to RC2.0 because I'm using a very modified custom theme with 1.3.10

http://www.secunia.com/advisories/8672/

this site warns of an old bug, but my question was, is 1.3.10 still affected, and if so, or was it fixed in the 4/26 update? If not, can't devs provide an upgrade for this 1.3.10 since many people still don't use RC2.0 and beyond due to the new theme system..?

I've got a hacker telling me that he is doing something to cause a Buffer Overflow and its letting him into my server.
I think it has something to do with a form being insecure in some way. Help appreciated.

YourHelp

Friend of XOOPS
Posted on: 2003/12/12 2:22
YourHelp
YourHelp (Show more)
Friend of XOOPS
Posts: 479
Since: 2003/6/9 6
#6

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

download the lastest version of xoops

Stewdio

Community Support Member
Posted on: 2003/12/12 2:36
Stewdio
Stewdio (Show more)
Community Support Member
Posts: 1560
Since: 2003/5/7 1
#7

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

Quote:

A-dog wrote:
I realize there is a fix for the latest version.. but I'm not upgrading to RC2.0 because I'm using a very modified custom theme with 1.3.10



To answer your question, if you are still using an older version, then yes it is still affected untill you apply a fix. This is the reason for fixes and upgrades.

I'm sorry you don't feel that you can upgrade because of your unique situation with your current version, however it is a choice that you have made and a resposibiliy only you can control. Not only is your site at risk, your host is at risk as well. Although your friend is a great help in pointing this out to you, other more dubious characters will exploit this vulnerability.

As a courtesy, I should also mention that if your host provider finds that you are running scripts that are a potential threat to their own internal server security, they may approach you on this matter and ask that you do something about it, or worse, temporarily close your account until the problem has been rectified.

Don't get me wrong, I'm not harping at you, just pointing out other things that need to be taken into consideration. I empathise with your situation in wishing for an upgrade script to make the changes you need. Hopefully you will be able to find a resolution to your particular set of circumstances.

Cheers

Mithrandir

XOOPS is my life!
Posted on: 2003/12/12 13:55
Mithrandir
Mithrandir (Show more)
XOOPS is my life!
Posts: 6320
Since: 2003/6/21
#8

Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

Unfortunately for you, the 1.3.10 is more or less comparable to Windows 98 - it is there, but the support is for XOOPS 2.