XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. Xoops Development / 
  3. Xoops Bug Reports 
  4.  / Xoops Multiple Unspecified SQL Injection Vulnerabilities
Register
11
jcweb
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/2/6 22:04

  • jcweb

  • Quite a regular

  • Posts: 253

  • Since: 2005/4/25


Are you using weblinks or mylinks?

jcweb
12
irmtfan
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/2/7 4:38

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


i cant find this file in weblinks or mylinks module.
mylinks has not a "class" category and weblinks 1.13 has not table_broken.php or weblinks_table_broken.php?
IMHO this report in a mailing list is not important to consider
13
MadFish
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/2/7 5:22

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


I couldn't find it either.
14
jcweb
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/2/7 6:42

  • jcweb

  • Quite a regular

  • Posts: 253

  • Since: 2005/4/25


Look here from the xoopsversion of mylinks

$modversion['name'] = _MI_MYLINKS_NAME;
$modversion['version'] = 1.10;
$modversion['description'] = _MI_MYLINKS_DESC;
$modversion['credits'] = "Kazumi Ono<br />( http://www.mywebaddons.com/ )<br />The XOOPS Project";
$modversion['help'] = "mylinks.html";
$modversion['license'] = "GPL see LICENSE";
$modversion['official'] = 1;
$modversion['image'] = "images/mylinks_slogo.png";
$modversion['dirname'] = "mylinks";


So whats up, is it a security hole or not?
jcweb
15
davidl2
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/2/7 7:56

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


The module reffered to is WEBLINKS
16
wizanda
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/2/7 8:35

  • wizanda

  • Home away from home

  • Posts: 1585

  • Since: 2004/3/21


Ok then yesterday was going to post, please don't post on this thread as don't like seeing things like it, that make XOOPS look worse....
yet point remains old web-sites contain information like this also, I have found stuff like it using Google Search also...
So point is are all of these sites that do that, are they getting feed back off us, to inform them that XOOPS doesn't have the problem?
We need to make a private forum for members only to make sure across the web things like it are reported....yet then not shown to search engines.
As though I found this same sort of report months ago, noticed and checked XOOPS had dealt with it, yet on sending an email....wasn't sure on posting on here publicly to tell everyone, so search engines didn’t see more errors like this.....


(Jcweb) The point in the question, if that is the part that is security risk is nope, that is for where XOOPS tell it self about it’s self…
the point they are saying in the error is that if the form that submits data, doesn’t use text sanitizer on submit, then people can access MySQL And in that you would also be needing access password to input anything across tables in MySQL
17
ohwada
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/3/4 13:46

  • ohwada

  • Just popping in

  • Posts: 28

  • Since: 2003/11/15


I am author of Weblinks.

I confirm the pointed out code have SQL Injection.
But, only the module administrator can use this code.
I dont assume that the module administrator attack own managed server.

Also, this code was corrected in V1.20 or later.
Current stable is V1.31
18
davidl2
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/3/4 13:47

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Thank you - we've a news item for 1.31 - which I was waiting to hear from you before releasing.

I can do this now
19
giba
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/3/5 10:14

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


One question.

This release fix it ?

Release of Weblinks 1.31
20
giba
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

  • 2007/3/5 10:17

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


I am reporting XOOPS core team Here

http://www.securityfocus.com/archive/1/459150

Xoops Multiple Unspecified SQL Injection Vulnerabilities

Bugtraq ID: 22399
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Feb 05 2007 12:00AM
Updated: Feb 05 2007 11:08PM
Credit: omid@hackers.ir has been credited with the discovery of these vulnerabilities.
Vulnerable: XOOPS Xoops 2.0.16 core

Attention please.

Waiting anunciament official core, please.
« 1 (2) 3 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

165 user(s) are online (100 user(s) are browsing Support Forums)

Members: 0

Guests: 165

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits