1
subzero_x
Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 13:56

  • subzero_x

  • Just popping in

  • Posts: 72

  • Since: 2006/3/16


Xoops is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.

An attacker may be able to exploit these issues to modify the logic of SQL queries. Successful exploits may allow the attacker to compromise the software, retrieve information, or modify data; other consequences are possible as well.

Xoops 2.0.16 is vulnerable.

More Information Here : http://www.securityfocus.com/bid/22399/info

SubZero
XOOPSDesign.com
http://streamtools.net professional themes for serious projects!

2
phppp
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 14:53

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


The core "issue" mentioned in the report was known to XOOPS Core Dev Team and evaluated as not a real vuln.
As for the weblinks module, plz check with the author.

3
eric235u
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 16:38

  • eric235u

  • Not too shy to talk

  • Posts: 149

  • Since: 2004/12/19


is this the link module from www.mywebaddons.com ?
where can I find the latest links module for 2.2.x?
thanks for any tips.

4
Anonymous
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 17:14

  • Anonymous

  • Posts: 0

  • Since:


I can't help thinking that this thread is unhelpful, being as it is in full public view on the XOOPS homepage........"Hey, Mr Bad Man, over here and look at this! Now you can attack everyone's XOOPS pages!"

Two words...... Protector Module.....

5
davidl2
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 17:21

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


The information is also listed on the SecurityFocus site.

6
Anonymous
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 18:00

  • Anonymous

  • Posts: 0

  • Since:


Quote:

davidl2 wrote:
The information is also listed on the SecurityFocus site.


True, but I was warm and happy in blissful ignorance until the point that I read it

7
eric235u
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 18:50

  • eric235u

  • Not too shy to talk

  • Posts: 149

  • Since: 2004/12/19


hi.

Quote:
"I can't help thinking that this thread is unhelpful, being as it is in full public view on the XOOPS homepage..."


i did not see it. where? do you mean this thread is in full view and don't like talking about exploits or that this issue has already been raised on the home page?

Quote:
Two words...... Protector Module.....


i read a lengthy thread on this and it seemed that the module was a good idea but it was not manditory. XOOPS core was reasonably secure. please tell me where i'm wrong. a link to further reading would be helpful.

Quote:
The information is also listed on the SecurityFocus site.


i clicked on "solution" and it states, "Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com."

therefore i did not see a resolution to the issue we're discussing at security focus. that's why i asked the question.

8
vaughan
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 19:09

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

i read a lengthy thread on this and it seemed that the module was a good idea but it was not manditory. XOOPS core was reasonably secure. please tell me where i'm wrong. a link to further reading would be helpful.


yes XOOPS core is reasonably secure. but reasonably is the keyword there.. XOOPS protector is an essential module if you want more security, and indeed provides other security measures than the core itself provides.

Quote:

i clicked on "solution" and it states, "Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com."

therefore i did not see a resolution to the issue we're discussing at security focus. that's why i asked the question.


there's no solution yet, because the exploit in the core isn't a valid exploit so no solution is necessary.

however the authors of weblinks module, may not even know about the exploit yet in their module, so maybe some1 could slip them a message informing them.. however i don't think the security focus stated the weblinks version number, which in itself might be an older version of that module.. but still the authors need to be aware of the possibility.

9
eric235u
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 19:39

  • eric235u

  • Not too shy to talk

  • Posts: 149

  • Since: 2004/12/19


i'm using weblinks 1.1 on XOOPS 2.2.x by Kazumi Ono. his website no longer is active. i didn't find him on the members module here or on the dev site.

i can't read this:
http://www.hackers.ir/advisories/festival.txt

so i don't know what specific links module he means. i'm shutting my site off from anonymous users until i feel comfortable with the links module.

10
preachur
Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • 2007/2/6 21:20

  • preachur

  • Just can't stay away

  • Posts: 525

  • Since: 2006/2/4 4


I too am using weblinks 1.1.... some on 2.0.16 and some on 2.2+ sites. I have removed the submit function from the modules. Only admins can add links and not from the client side, only through administration. Hopefully that plugged the hole.
Magick can never be restrained, but when freely given is thrice regained!

Login

Who's Online

161 user(s) are online (91 user(s) are browsing Support Forums)


Members: 0


Guests: 161


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits