xoops forums

Test0r

Just popping in
Posted on: 2003/12/22 12:45
Test0r
Test0r (Show more)
Just popping in
Posts: 2
Since: 2003/12/22
#1

Weblinks module security problem. Patch available ?

Xoops team didn't release a patch for this security problem ?
http://www.security-corporation.com/articles-20031222-000.html

Note that Xoops.org portal seems to be vulnerable to this vulnerability

skalpa

Quite a regular
Posted on: 2003/12/22 14:04
skalpa
skalpa (Show more)
Quite a regular
Posts: 300
Since: 2003/4/16
#2

Re: Weblinks module security problem. Patch available ?

If you look at the article you'll see that it's been published today and I'm just waking up: that's the reason why a patch hasn't been released yet...

Also, this site is not vulnerable to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it )

This is considered a security problem, as people are allowed to add links to the mylinks section.
However, here:
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature either

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

Skalpa.>

lykoszine

Module Developer
Posted on: 2003/12/22 14:19
lykoszine
lykoszine (Show more)
Module Developer
Posts: 244
Since: 2002/1/2 2
#3

Re: Weblinks module security problem. Patch available ?

Skalpa

Why not just spend less time pretending to be you, and instead put more effort into trying to be yourself, and totally forget about making people believe you are you (whether you really are or not). That way, people (whether they are themselves or somebody else) can believe that you are who they think you are, or who you think you are, without worrying if you are really you or not.

Just some random skitzoid wafflings...

svaha

Just can't stay away
Posted on: 2003/12/22 15:28
svaha
svaha (Show more)
Just can't stay away
Posts: 896
Since: 2003/8/2 2
#4

Re: Weblinks module security problem. Patch available ?

Now I also need a coffee badly, because my think processes went into an infinite loop.
As soon as I have expanded my quotes-record to contain more text, I will ad this one to my quotes (if you don't object of course), just to scare people of from registering to my site

Aloha

Mikhail

Just can't stay away
Posted on: 2003/12/22 15:36
Mikhail
Mikhail (Show more)
Just can't stay away
Posts: 412
Since: 2003/1/19
#5

Re: Weblinks module security problem. Patch available ?

Quote:

skalpa wrote:
If you look at the article you'll see that it's been published today and I'm just waking up: that's the reason why a patch hasn't been released yet...

Also, this site is not vulnerable to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it )

This is considered a security problem, as people are allowed to add links to the mylinks section.
However, here:
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature either

So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after

Skalpa.>



Thanks a lot!!!!!!!!!!!!!!!!!!

lykoszine

Module Developer
Posted on: 2003/12/22 16:03
lykoszine
lykoszine (Show more)
Module Developer
Posts: 244
Since: 2002/1/2 2
#6

Re: Weblinks module security problem. Patch available ?

Svaha

Just make them read it before filling in the registration form. I guarantee you will have no new members...

[If you do I would cancel their registration quick, as they will probably be mad... ]

Test0r

Just popping in
Posted on: 2003/12/23 10:17
Test0r
Test0r (Show more)
Just popping in
Posts: 2
Since: 2003/12/22
#7

Re: Weblinks module security problem. Patch available ?

Quote:
Also, this site is not vulnerable to this problem


https://xoops.org/modules/mylinks/myhe ... t;><script>alert(document.cookie)</script> Are you sure ?

Quote:
So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after


All right i've removed the module and waiting for a patch...

Many thanks

skalpa

Quite a regular
Posted on: 2003/12/23 12:08
skalpa
skalpa (Show more)
Quite a regular
Posts: 300
Since: 2003/4/16
#8

Re: Weblinks module security problem. Patch available ?

Quote:
All right i've removed the module and waiting for a patch...


It's already done...
Read this post.

Skalpa.>

Herko

XOOPS is my life!
Posted on: 2003/12/23 13:04
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#9

Re: Weblinks module security problem. Patch available ?

Quote:

https://xoops.org/modules/mylinks/myhe ... t;><script>alert(document.cookie)</script> Are you sure ?


This has been fixed on this site now.

Herko