xoops forums

kevinv

Friend of XOOPS
Posted on: 2003/12/23 2:04
kevinv
kevinv (Show more)
Friend of XOOPS
Posts: 44
Since: 2003/1/4 1
#1

Xoops 2.0.5.1 XSS attack?

Just saw post from yesterday on bugtraq that XOOPS 2.0.5.1 web link module has a xss bug.

Are the XOOPS developers aware of this? Is it a real issue? (I've not tested on my install yet)

Security Focus Bugtraq Archive

skalpa

Quite a regular
Posted on: 2003/12/23 2:17
skalpa
skalpa (Show more)
Quite a regular
Posts: 300
Since: 2003/4/16
#2

Re: Xoops 2.0.5.1 XSS attack?

Somebody warned us earlier today.
As I said in another post, this is not an issue if you haven't set your "links" section to auto-approve.

The patch has already been done, but as we expect to make a release fixing a few other problems in a week or so, we decided not to release this one alone right now.
However you can already get the fixed files and copy them to /modules/mylinks/ (they should work with 2.0.1 - 2.0.5.1, and although I haven't tested them extensively I don't think there will be any problems with them):

myheader.php
submit.php
visit.php

[ EDITED ]
Sorry, I messed with the links in the original post. They should be ok now (or at least in a few minutes, myheader and visit should both be v1.8 when you get them).

Skalpa.>