xoops forums

stefan88

Community Support Member
Posted on: 2008/7/26 9:50
stefan88
stefan88 (Show more)
Community Support Member
Posts: 1085
Since: 2004/9/20
#1

Vulnerability in XOOPS 2.0.18.1 admin.p h p

Quote:
Vulnerability Summary CVE-2008-3296
Original release date: 7/25/2008
Last revised: 7/25/2008
Source: US-CERT/NIST


Overview

Directory traversal vulnerability in modules/system/admin.p h p in XOOPS 2.0.18 1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.


Found here: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3296
..

trabis

Core Developer
Posted on: 2008/7/26 10:04
trabis
trabis (Show more)
Core Developer
Posts: 2268
Since: 2006/9/1 1
#2

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

I don´t see how this could be exploited unless th hacker is a webmaster or a module admin. The first thing the script does is to check is it is a XOOPS user and if it has admin privilages. Anyway, I would prefer to sanitize fct just to make sure I don´t have a malicious admin among my crew, lol. But hey, if there is a malicious admin fixing this would be the less important of all things. In 90%(maybe 90,1% not sure, ahah) of the cases, the module developers don´t care much in protecting their modules administration so, a bad module admin can compromise your site exploting admin area of the module he has admin access.

I might be wrong eheh, but I consider this a very lazy exploit.

skenow

Home away from home
Posted on: 2008/7/26 13:49
skenow
skenow (Show more)
Home away from home
Posts: 993
Since: 2004/11/17
#3

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

More information is found here - http://www.securityfocus.com/bid/30330/info

phppp

XOOPS Contributor
Posted on: 2008/7/26 14:48
phppp
phppp (Show more)
XOOPS Contributor
Posts: 2857
Since: 2004/1/25
#4

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

The "vuln" has been reported and discussed a couple of times and the conclusion made by XOOPS dev team at the moment was that it is not an valid vuln thus won't fix.

However, to keep XOOPS elegant, the code will definitely be improved in future releases.

skenow

Home away from home
Posted on: 2008/7/26 16:14
skenow
skenow (Show more)
Home away from home
Posts: 993
Since: 2004/11/17
#5

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

If you are like me and do not want to dismiss this so readily or wait for a more elegant solution, you can edit modules/systems/admin.php and change the following lines at the beginning of the file:

if (isset($_POST['fct'])) {
    
$fct trim($_POST['fct']);
}
if (isset(
$_GET['fct'])) {
    
$fct trim($_GET['fct']);
}


to this:

if (isset($_POST['fct'])) {
    
$fct preg_replace('/(;|||`|>|<|&|^|"|'."n|r|'".'|{|}|[|]|)|()/i'''trim($_POST['fct']));
    
$fct '"'.preg_replace('/$/''\$'$fct).'"';
}
if (isset(
$_GET['fct'])) {
    
$fct preg_replace('/(;|||`|>|<|&|^|"|'."n|r|'".'|{|}|[|]|)|()/i'''trim($_GET['fct']));
    
$fct '"'.preg_replace('/$/''\$'$fct).'"';
}


Thanks to Vaughan for this solution!

sarahmx

Quite a regular
Posted on: 2008/7/27 8:42
sarahmx
sarahmx (Show more)
Quite a regular
Posts: 378
Since: 2007/10/28
#6

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

i follwed the solution but after i did that i can't click any link in the admin

in IE i received object required errors

Mamba

Moderator
Posted on: 2008/7/27 21:15
Mamba
Mamba (Show more)
Moderator
Posts: 10770
Since: 2004/4/23
#7

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

phppp is coming with a solution that will work in XOOPS.

We're in process of testing it - the 2.0.18.2 is coming soon.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

McDonald

Home away from home
Posted on: 2008/7/28 9:43
McDonald
McDonald (Show more)
Home away from home
Posts: 1072
Since: 2005/8/15
#8

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

Is this vulnerability affecting XOOPS 2.0.x only or XOOPS 2.2.x also?

If it is affecting XOOPS 2.2.x, is it possible to release a patch for this?

Mamba

Moderator
Posted on: 2008/7/28 13:25
Mamba
Mamba (Show more)
Moderator
Posts: 10770
Since: 2004/4/23
#9

Re: Vulnerability in XOOPS 2.0.18.1 admin.p h p

Quote:
i follwed the solution but after i did that i can't click any link in the admin

in IE i received object required errors

Please test the 2.0.18.2 RC, which should properly fix the problem.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs