1
Kent
Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 3:38

  • Kent

  • Just popping in

  • Posts: 15

  • Since: 2002/4/19


This is a heads up for anyone who has "lastposts" module installed on their XOOPS system. There is a major security flaw that allows people to post raw html to the rendered page displaying anything they want. I'm going to pick this module appart to see what I can do to fix it, but if someone else would like to help I'm not a very good PHP developer and would love any help I can get. If I can, I would like to change the module so it's ready for Xoops2.0.6 complete with templates.

You've been informed... hopefully none of the web sites are hacked with this module installed.


2
Anonymous
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 11:00

  • Anonymous

  • Posts: 0

  • Since:


Orgin and myself pulled together a quick patch which fixes this ( we think! ).

The problem seems to be the topic itself is not safed so HTML can be put in there and all sorts.

It looks like the author of the moduled intended to safe it, but didn't get around it.

In the index.php for the module you will need to drop these lines in:

$topic_title = $myts->makeTboxData4Show($arr["topic_title"]);
echo "&nbsp;&nbsp;<a href='".XOOPS_URL."/modules/newbb/viewtopic.php?topic_id=" . $arr["topic_id"] . "&forum=" . $arr["forum_id"] . "'>".$topic_title."</a>";

To replace

echo "&nbsp;&nbsp;<a href='".XOOPS_URL."/modules/newbb/viewtopic.php?topic_id=" . $arr["topic_id"] . "&forum=" . $arr["forum_id"] . "'>".$arr["topic_title"]."</a>";

Regards

DaveP of AmigaWorld.net

3
Wayne
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 11:58

  • Wayne

  • Just popping in

  • Posts: 35

  • Since: 2002/2/13


Dave,

Thanks for the help, but you must be running a different version than we have. The text above is not in the version we have at all. As a matter of fact, the text you suggest already is in there (verbatim) so I would presume that you might want to do a little testing. Sounds like yours is still hackable.

Wayne

4
Society
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 12:01

  • Society

  • Not too shy to talk

  • Posts: 178

  • Since: 2002/1/10


hey i was an amiga user, too.:)
you know? smsengineers mui :) it was my proggy.... coded in blitzbasic :)


5
Anonymous
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 12:02

  • Anonymous

  • Posts: 0

  • Since:


Wayne

No problem. This patches our version for the exploit that Kent describes, the former is the patching text and the latter is the text that needs patching.

If you guys can put some test cases up there we can see what might still be exposed, I hear rumours of being able to inject and inspect the database, but haven't been able to reproduce that at all on our XOOPS.

Regards

Dave.

6
Wayne
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 12:11

  • Wayne

  • Just popping in

  • Posts: 35

  • Since: 2002/2/13


The version we started with was; "Modified 07.10.2002" (The CVS info says version 1.1) and doesn't include the "former text". It does already include your proposed fix, so I'm presuming that you guys are running a different version than we are. In any event, the fact that your proposed fix is identical to what we're already running means that there's still a very big problem on your site.

I don't think anyone here wants us to publicly post how their site can be easily destroyed (if they're running the lastposts module), so I'm sure if you ask Kent privately, he'll be glad to describe it.

Hopefully you're not affected, in which case I'd ask that you consider mailing me a copy of that module (which seems to be abandoned by the author).

Wayne

7
Anonymous
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 12:16

  • Anonymous

  • Posts: 0

  • Since:


Wayne

We have the same module. Although that could be someone not putting up change history!

The former text is the patch, the latter text is what is already there in the module.

Dave.

8
Wayne
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 12:19

  • Wayne

  • Just popping in

  • Posts: 35

  • Since: 2002/2/13


Dave,

Sorry about that. I misread your original post as saying the "former" (first) text was that which had to be replaced with the latter. That's what I get for waking up at 5:30 am on a Friday morning.

Let us test and I'll get back to you.

9
Anonymous
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 12:26

  • Anonymous

  • Posts: 0

  • Since:


Wayne

Absolutely no problem whatsoever. Ive got flu so I probably didn't explain myself too well

Dave.

10
Wayne
Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)
  • 2004/2/13 13:58

  • Wayne

  • Just popping in

  • Posts: 35

  • Since: 2002/2/13


Dave

1) Hope you get to feeling better
2) The hack seems to have cleared up the immediate issue, though was more difficult for me running both X1 and X2 (on our dev site). Thanks.

Everyone else: Evaluate and apply the patch above to the index.php for your lastposts module as quickly as possible. Using the unmodified module, it is possible to do really nasty things to both your site and the machines of your visitors. I know that *I* am amazed that no one else caught this major security hole in two years.

Kent and I will be working on taking over the Lastposts module for XOOPS 2.x, unless we hear of someone else doing it first. The programming for XOOPS 2.x is much more convoluted and hard to follow, so it may take a while for us to get our bearings between Family, work, and school (all of which take precedence).

Login

Who's Online

140 user(s) are online (111 user(s) are browsing Support Forums)


Members: 0


Guests: 140


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits