Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities [Xoops Bug Reports]

21

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/3/5 12:19
phppp
XOOPS Contributor
Posts: 2857
Since: 2004/1/25

As stated in the very first reply:

the reported "issue" is evaluated, by The XOOPS Core Development Team, as not a valid vulnerability.
In a short word, NOT A VALID REPORT

The statement won't be repeated again.

22

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/3/5 16:28
AndyM
Quite a regular
Posts: 296
Since: 2003/8/31

phppp, if no one has done so yet, it would be worth one of the devs to write to security focus to update the report. It would both allay people's fears and be good for XOOPS's, showing that you take these reports seriously, check them out and respond to them.

[size=x-small]Articles, AM Events and my other modules.
The Muggles Guide
PC From Scratch[/size]

23

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/3/5 16:45
giba
Just can't stay away
Posts: 638
Since: 2003/4/26

Very, very thanks AndyM.

This is my wish for all users and support XOOPS in world.

24

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/3/6 4:45
irmtfan
Module Developer
Posts: 3419
Since: 2003/12/7

this is a bit off topic sorry.
there is no official rules for using internet in iran no department for internet&computer crimes either ( as far as i know). so many people called themselves a "Security Team" or "Hackers" without enough backgrounds in internet or security then post some True and FAKE reports everywhere they can especially in reliable security sites (forums or mailing lists) to increase their ranks.

back to topic i totally agreed with you and already send an email to security focus about.

Ready for Romance
First Persian Harry Potter Site(English added) | Persian Support Site | Xoops Persian Project

25

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/3/6 6:55
phppp
XOOPS Contributor
Posts: 2857
Since: 2004/1/25

Agreed that we should respond to valid security report properly.

For this specific report, there is some story behind:
Before the "issues" were released to public, Mr Omid contacted the XOOPS Core Dev Team at very first time. The Core Team evaluated the issue very quickly and responded him immediately. Both Skalpa and me stated clearly in our emails to him that we don't think it a valid vulnerability, it might be taken care of in future a version of XOOPS but it is not necessary to make any "patch" or "change" objectively for it at this moment.
However, I don't know why the report still got spreaded although the XOOPS Core Team had made clear response to the original discoverer.

26

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/3/6 15:30
eric235u
Not too shy to talk
Posts: 149
Since: 2004/12/19

Hi. I would like to thank the XOOPS developers for participating in this forum thread and setting the record straight. One of my favorite aspects of free / open source software is the communication between users and developers in an open forum such as this. Many thanks.

http://www.newmag.org/

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}