Re: Weblinks module security problem. Patch available ? [XOOPS.org Members Lounge]

1

Weblinks module security problem. Patch available ?

2003/12/22 12:45
Test0r
Just popping in
Posts: 2
Since: 2003/12/22

Xoops team didn't release a patch for this security problem ?
http://www.security-corporation.com/articles-20031222-000.html

Note that Xoops.org portal seems to be vulnerable to this vulnerability

2

Re: Weblinks module security problem. Patch available ?

2003/12/22 14:04
skalpa
Quite a regular
Posts: 300
Since: 2003/4/16

If you look at the article you'll see that it's been published today and I'm just waking up: that's the reason why a patch hasn't been released yet...

Also, this site is not vulnerable to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it

)

This is considered a security problem, as people are allowed to add links to the mylinks section.
However, here:
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature either

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

Skalpa.>

3

Re: Weblinks module security problem. Patch available ?

2003/12/22 14:19
lykoszine
Module Developer
Posts: 244
Since: 2002/1/2 2

Skalpa

Why not just spend less time pretending to be you, and instead put more effort into trying to be yourself, and totally forget about making people believe you are you (whether you really are or not). That way, people (whether they are themselves or somebody else) can believe that you are who they think you are, or who you think you are, without worrying if you are really you or not.

Just some random skitzoid wafflings...

4

Re: Weblinks module security problem. Patch available ?

2003/12/22 15:28
svaha
Just can't stay away
Posts: 896
Since: 2003/8/2 2

Now I also need a coffee badly, because my think processes went into an infinite loop.
As soon as I have expanded my quotes-record to contain more text, I will ad this one to my quotes (if you don't object of course), just to scare people of from registering to my site

Aloha

5

Re: Weblinks module security problem. Patch available ?

2003/12/22 15:36
Mikhail
Just can't stay away
Posts: 412
Since: 2003/1/19

Quote:

skalpa wrote:
If you look at the article you'll see that it's been published today and I'm just waking up: that's the reason why a patch hasn't been released yet...

Also, this site is not vulnerable to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it )

This is considered a security problem, as people are allowed to add links to the mylinks section.
However, here:
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature either

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

Skalpa.>

Thanks a lot!!!!!!!!!!!!!!!!!!

Mikhail Miguel
-> SF
-> Blogger
-> Orkut

6

Re: Weblinks module security problem. Patch available ?

2003/12/22 16:03
lykoszine
Module Developer
Posts: 244
Since: 2002/1/2 2

Svaha

Just make them read it before filling in the registration form. I guarantee you will have no new members...

[If you do I would cancel their registration quick, as they will probably be mad...

]

7

Re: Weblinks module security problem. Patch available ?

2003/12/23 10:17
Test0r
Just popping in
Posts: 2
Since: 2003/12/22

Quote:

Also, this site is not vulnerable to this problem

" rel="noopener external" title="">https://xoops.org/modules/mylinks/myheader.php?url="> Are you sure ?

Quote:

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

All right i've removed the module and waiting for a patch...

Many thanks

8

Re: Weblinks module security problem. Patch available ?

2003/12/23 12:08
skalpa
Quite a regular
Posts: 300
Since: 2003/4/16

Quote:

All right i've removed the module and waiting for a patch...

It's already done...
Read this post.

Skalpa.>

9

Re: Weblinks module security problem. Patch available ?

2003/12/23 13:04
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

Quote:

" rel="noopener external" title="">https://xoops.org/modules/mylinks/myheader.php?url="> Are you sure ?

This has been fixed on this site now.

Herko

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Re: Weblinks module security problem. Patch available ?

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}