xoops forums

Defkon1

Not too shy to talk
Posted on: 2009/6/22 7:16
Defkon1
Defkon1 (Show more)
Not too shy to talk
Posts: 151
Since: 2005/1/27
#1

Exploit on xoops 2.3.3

I don't know if this is the correct forum...

Quote:

Nibble Security discovered a remote arbitrary file retrieval in XOOPS version
2.3.3, which could be exploited to read system or XOOPS configuration files
("mainfile.php").


http://www.milw0rm.com/exploits/8974

wishcraft

Module Developer
Posted on: 2009/6/22 7:19
wishcraft
wishcraft (Show more)
Module Developer
Posts: 3710
Since: 2007/5/18
#2

Re: Exploit on xoops 2.3.3

Thanks defcon..

It will be patched in 2.3.4 which is only a few weeks away.. Just having an ANTi-RSI break.. Because There is still more typing to do!

We where aware of this around a week ago before you forum posted it.. Lucky it is one of those conditional errors.. That is something that doesn't work on all installations.
Resized Image
www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/SimonXaies
github.com/Chronolabs-Cooperative
facebook.com/SimonSXaies

frankblack

Just can't stay away
Posted on: 2009/6/22 8:26
frankblack
frankblack (Show more)
Just can't stay away
Posts: 830
Since: 2005/6/13
#3

Re: Exploit on xoops 2.3.3

Quote:
It will be patched in 2.3.4 which is only a few weeks away


Cough... And in the meantime? Any workaround? I assume that any protector is concerned?

Interesting timetable. Who was contacted?
17/03/2009 - Vendor notified.
17/03/2009 - Vendor response.
28/05/2009 - Vendor re-contacted (no answer).
16/06/2009 - Public disclosure.

Three month ago is quite a long time...

ghia

Community Support Member
Posted on: 2009/6/22 11:54
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#4

Re: Exploit on xoops 2.3.3

Quote:
If register_globals is enabled and magic_quotes_gpc disabled,
In principle, no one has a site with these settings (see your phpinfo()).
And if they have, they should take measures to change it immediatly (and not only because this 'exploit') or move on to a decent hoster.

frankblack

Just can't stay away
Posted on: 2009/6/22 12:57
frankblack
frankblack (Show more)
Just can't stay away
Posts: 830
Since: 2005/6/13
#5

Re: Exploit on xoops 2.3.3

Quote:
In principle, no one has a site with these settings


In principle I should be rich and famous. But I am not, so I guess there are php settings like this out there.

So you people with bad settings (or people who do not know that they have bad settings): come back in a few weeks and get your update - if you are caught in the meantime: bad luck.

Sounds offending, but it is not meant for your ears. I find it strange, that after 2 1/2 month the vendor was re-contacted but did not reply. Even if this is a minor threat and XOOPS has not so much "personnel", everything should be done to secure the system. Just my POV.

ghia

Community Support Member
Posted on: 2009/6/22 14:02
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#6

Re: Exploit on xoops 2.3.3

No, don't exagerate! This is a very, very minor threat.
It's not because you could be strucked by lightning, that you would walk around in a Faraday cage.
Some people are in much greater peril by eg not following the instructions for the install of Protector.

Mamba

Moderator
Posted on: 2009/6/22 14:53
Mamba
Mamba (Show more)
Moderator
Posts: 10750
Since: 2004/4/23
#7

Re: Exploit on xoops 2.3.3

Quote:
Sounds offending, but it is not meant for your ears. I find it strange, that after 2 1/2 month the vendor was re-contacted but did not reply.

I'll take a blame for it. My PC crashed and before I was able to work on it again and restore data, I had over 1,000 emails in my inbox, and unfortunately, it the "re-contacted" email was one of those emails that I didn't have a chance to read to respond in time.

Quote:
Even if this is a minor threat and XOOPS has not so much "personnel", everything should be done to secure the system. Just my POV.


And I totally agree with you. You can trust me that the team does what it can to keep XOOPS the safest CMS out there. The issue will be addressed in 2.3.4 release.

In addition to Ghia's comments, GIJoe told us that in order for a hacker to take advantage of this exploit, the XOOPS_TRUST_PATH would have to be inside the Document Root. We've always recommended our users to place XOOPS_TRUST_PATH outside of the Document Root.

But as I said, the issue will be addressed in 2.3.4
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

frankblack

Just can't stay away
Posted on: 2009/6/22 14:54
frankblack
frankblack (Show more)
Just can't stay away
Posts: 830
Since: 2005/6/13
#8

Re: Exploit on xoops 2.3.3

I don't want to exaggerate anything and I go out with the dog at lightning. But I pity those who to belong to the minority which may be concerned by this very, very minor threat. Being hacked is not a good experience and I made this experience already. I just wanted to point out that three months are a very long time to publish a workaround in the meantime.

Feel save with the Protector? Sorry, no.

ghia

Community Support Member
Posted on: 2009/6/22 15:26
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#9

Re: Exploit on xoops 2.3.3

Quote:
Feel save with the Protector? Sorry, no.
For good security, you may never feel safe.
But, feel safer with properly installed Protector? Definitly!

trabis

Core Developer
Posted on: 2009/6/22 17:43
trabis
trabis (Show more)
Core Developer
Posts: 2268
Since: 2006/9/1 1
#10

Re: Exploit on xoops 2.3.3

Quote:

frankblack wrote:
Feel save with the Protector? Sorry, no.


"Bug" is in protector, not core. Actually, It is not a bug because protector is not meant to be in public directory.
If you show this as a "bug" to GIJOE he will laugh at your face.