1
Test0r
Weblinks module security problem. Patch available ?
  • 2003/12/22 12:45

  • Test0r

  • Just popping in

  • Posts: 2

  • Since: 2003/12/22


Xoops team didn't release a patch for this security problem ?
http://www.security-corporation.com/articles-20031222-000.html

Note that Xoops.org portal seems to be vulnerable to this vulnerability

2
skalpa
Re: Weblinks module security problem. Patch available ?
  • 2003/12/22 14:04

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


If you look at the article you'll see that it's been published today and I'm just waking up: that's the reason why a patch hasn't been released yet...

Also, this site is not vulnerable to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it )

This is considered a security problem, as people are allowed to add links to the mylinks section.
However, here:
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature either

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

Skalpa.>

3
lykoszine
Re: Weblinks module security problem. Patch available ?
  • 2003/12/22 14:19

  • lykoszine

  • Module Developer

  • Posts: 244

  • Since: 2002/1/2 2


Skalpa

Why not just spend less time pretending to be you, and instead put more effort into trying to be yourself, and totally forget about making people believe you are you (whether you really are or not). That way, people (whether they are themselves or somebody else) can believe that you are who they think you are, or who you think you are, without worrying if you are really you or not.

Just some random skitzoid wafflings...

4
svaha
Re: Weblinks module security problem. Patch available ?
  • 2003/12/22 15:28

  • svaha

  • Just can't stay away

  • Posts: 896

  • Since: 2003/8/2 2


Now I also need a coffee badly, because my think processes went into an infinite loop.
As soon as I have expanded my quotes-record to contain more text, I will ad this one to my quotes (if you don't object of course), just to scare people of from registering to my site

Aloha

5
Mikhail
Re: Weblinks module security problem. Patch available ?
  • 2003/12/22 15:36

  • Mikhail

  • Just can't stay away

  • Posts: 412

  • Since: 2003/1/19


Quote:

skalpa wrote:
If you look at the article you'll see that it's been published today and I'm just waking up: that's the reason why a patch hasn't been released yet...

Also, this site is not vulnerable to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it )

This is considered a security problem, as people are allowed to add links to the mylinks section.
However, here:
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature either

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

Skalpa.>



Thanks a lot!!!!!!!!!!!!!!!!!!

6
lykoszine
Re: Weblinks module security problem. Patch available ?
  • 2003/12/22 16:03

  • lykoszine

  • Module Developer

  • Posts: 244

  • Since: 2002/1/2 2


Svaha

Just make them read it before filling in the registration form. I guarantee you will have no new members...

[If you do I would cancel their registration quick, as they will probably be mad... ]

7
Test0r
Re: Weblinks module security problem. Patch available ?
  • 2003/12/23 10:17

  • Test0r

  • Just popping in

  • Posts: 2

  • Since: 2003/12/22


Quote:
Also, this site is not vulnerable to this problem


https://xoops.org/modules/mylinks/myheader.php?url="><script>alert(document.cookie)</script> Are you sure ?

Quote:
So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after


All right i've removed the module and waiting for a patch...

Many thanks

8
skalpa
Re: Weblinks module security problem. Patch available ?
  • 2003/12/23 12:08

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


Quote:
All right i've removed the module and waiting for a patch...


It's already done...
Read this post.

Skalpa.>

9
Herko
Re: Weblinks module security problem. Patch available ?
  • 2003/12/23 13:04

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Quote:

This has been fixed on this site now.

Herko

Login

Who's Online

175 user(s) are online (114 user(s) are browsing Support Forums)


Members: 0


Guests: 175


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits