1
A-dog
Security Focus shows Xoops flaws - is 1.3.10 safe?
  • 2003/12/10 23:18

  • A-dog

  • Just popping in

  • Posts: 19

  • Since: 2002/1/25


I noticed at the websitehttp://www.securityfocus.com
if you do a search for XOOPS it returns many of the fixes
we've seen lately.. well I've not been around here much lately but I was wondering if any of the devs can tell me if 1.3.10 is safe from cross-scripting attacks as found in recent times? I know that version contained many fixes of the sort but what about recent discoveries? I've had my front page replaced recently by hackers but they're cooperating with help..as any good hacker would. Thank God.

LMK!
A-Dog

2
Draven
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?
  • 2003/12/10 23:26

  • Draven

  • Module Developer

  • Posts: 337

  • Since: 2003/5/28


Please review the documents on that site before jumping to conclusions and scarying the community.

Quote:
not vulnerable XOOPS Xoops 2.0.5 .1

http://www.securityfocus.com/bid/9166

UPGRADE!!!

3
Mithrandir
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

Is it possible to get a bit more information as to what exactly was the vulnerability (since it is fixed and patch been out for a while, this shouldn't be too dangerous) so we can avoid opening up for the same vulnerabilities in our modules?

4
mvandam
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?
  • 2003/12/11 0:57

  • mvandam

  • Quite a regular

  • Posts: 253

  • Since: 2003/2/7 2


I'll just make a quick comment here as there is tons of info on the net about it, and another thread recently touched on some of this:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=14580&forum=4

In general, the vulnerabilities posted about web scripts include problems like SQL injection vulnerabilities, or 'cross-site scripting' (XSS) vulnerabilities.

The simple solution to SQL injection is make sure you NEVER use $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS in your queries. These variables are classified as UNTRUSTED data because they are coming from an outside source. ALWAYS wrap untrusted data inside $xoopsDB->quoteString() to make it safe to use inside queries.

The simple solution to XSS vulnerabilities is to always pass untrusted data through the function htmlspecialchars before displaying it on the page. This will prevent any malicous HTML or javascript from affecting other users.

I'm sure I'm oversimplifying a lot and I am by no means an expert in this area, but these two steps account for the vast majority of problems. You might want to read up a little on these kinds of attacks in general... i.e. how they are done, why they are dangerous, and how to prevent them.

Hope this helps

5
A-dog
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?
  • 2003/12/12 2:18

  • A-dog

  • Just popping in

  • Posts: 19

  • Since: 2002/1/25


I realize there is a fix for the latest version.. but I'm not upgrading to RC2.0 because I'm using a very modified custom theme with 1.3.10

http://www.secunia.com/advisories/8672/

this site warns of an old bug, but my question was, is 1.3.10 still affected, and if so, or was it fixed in the 4/26 update? If not, can't devs provide an upgrade for this 1.3.10 since many people still don't use RC2.0 and beyond due to the new theme system..?

I've got a hacker telling me that he is doing something to cause a Buffer Overflow and its letting him into my server.
I think it has something to do with a form being insecure in some way. Help appreciated.

6
YourHelp
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?
  • 2003/12/12 2:22

  • YourHelp

  • Friend of XOOPS

  • Posts: 479

  • Since: 2003/6/9 6


download the lastest version of xoops

7
Stewdio
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?
  • 2003/12/12 2:36

  • Stewdio

  • Community Support Member

  • Posts: 1560

  • Since: 2003/5/7 1


Quote:

A-dog wrote:
I realize there is a fix for the latest version.. but I'm not upgrading to RC2.0 because I'm using a very modified custom theme with 1.3.10



To answer your question, if you are still using an older version, then yes it is still affected untill you apply a fix. This is the reason for fixes and upgrades.

I'm sorry you don't feel that you can upgrade because of your unique situation with your current version, however it is a choice that you have made and a resposibiliy only you can control. Not only is your site at risk, your host is at risk as well. Although your friend is a great help in pointing this out to you, other more dubious characters will exploit this vulnerability.

As a courtesy, I should also mention that if your host provider finds that you are running scripts that are a potential threat to their own internal server security, they may approach you on this matter and ask that you do something about it, or worse, temporarily close your account until the problem has been rectified.

Don't get me wrong, I'm not harping at you, just pointing out other things that need to be taken into consideration. I empathise with your situation in wishing for an upgrade script to make the changes you need. Hopefully you will be able to find a resolution to your particular set of circumstances.

Cheers

8
Mithrandir
Re: Security Focus shows Xoops flaws - is 1.3.10 safe?

Unfortunately for you, the 1.3.10 is more or less comparable to Windows 98 - it is there, but the support is for XOOPS 2.

Login

Who's Online

204 user(s) are online (109 user(s) are browsing Support Forums)


Members: 0


Guests: 204


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits