Xoops Multiple Unspecified SQL Injection Vulnerabilities [Xoops Bug Reports]

subzero_x

Just popping in

Posted on: 2007/2/6 13:56

: subzero_x (Show more); Just popping in; Posts: 72; Since: 2006/3/16

#1

Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 13:56 Xoops is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.

An attacker may be able to exploit these issues to modify the logic of SQL queries. Successful exploits may allow the attacker to compromise the software, retrieve information, or modify data; other consequences are possible as well.

Xoops 2.0.16 is vulnerable.

More Information Here : http://www.securityfocus.com/bid/22399/info

SubZero
XOOPSDesign.com

http://streamtools.net professional themes for serious projects!

phppp

XOOPS Contributor

Posted on: 2007/2/6 14:53

: phppp (Show more); XOOPS Contributor; Posts: 2857; Since: 2004/1/25

#2

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 14:53 The core "issue" mentioned in the report was known to XOOPS Core Dev Team and evaluated as not a real vuln.
As for the weblinks module, plz check with the author.

eric235u

Not too shy to talk

Posted on: 2007/2/6 16:38

: eric235u (Show more); Not too shy to talk; Posts: 149; Since: 2004/12/19

#3

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 16:38 is this the link module from www.mywebaddons.com ?
where can I find the latest links module for 2.2.x?
thanks for any tips.

http://www.newmag.org/

Anonymous

Posted on: 2007/2/6 17:14

: Anonymous (Show more); Posts: 0; Since:

#4

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 17:14 I can't help thinking that this thread is unhelpful, being as it is in full public view on the XOOPS homepage........"Hey, Mr Bad Man, over here and look at this! Now you can attack everyone's XOOPS pages!"

Two words...... Protector Module.....

davidl2

XOOPS is my life!

Posted on: 2007/2/6 17:21

: davidl2 (Show more); XOOPS is my life!; Posts: 4843; Since: 2003/5/26

#5

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 17:21 The information is also listed on the SecurityFocus site.

Anonymous

Posted on: 2007/2/6 18:00

: Anonymous (Show more); Posts: 0; Since:

#6

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 18:00 Quote:

davidl2 wrote:
The information is also listed on the SecurityFocus site.

True, but I was warm and happy in blissful ignorance until the point that I read it

eric235u

Not too shy to talk

Posted on: 2007/2/6 18:50

: eric235u (Show more); Not too shy to talk; Posts: 149; Since: 2004/12/19

#7

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 18:50 hi.

Quote:

"I can't help thinking that this thread is unhelpful, being as it is in full public view on the XOOPS homepage..."

i did not see it. where? do you mean this thread is in full view and don't like talking about exploits or that this issue has already been raised on the home page?

Quote:

Two words...... Protector Module.....

i read a lengthy thread on this and it seemed that the module was a good idea but it was not manditory. XOOPS core was reasonably secure. please tell me where i'm wrong. a link to further reading would be helpful.

Quote:

The information is also listed on the SecurityFocus site.

i clicked on "solution" and it states, "Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com."

therefore i did not see a resolution to the issue we're discussing at security focus. that's why i asked the question.

http://www.newmag.org/

vaughan

Friend of XOOPS

Posted on: 2007/2/6 19:09

: vaughan (Show more); Friend of XOOPS; Posts: 684; Since: 2005/11/26

#8

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 19:09 Quote:

i read a lengthy thread on this and it seemed that the module was a good idea but it was not manditory. XOOPS core was reasonably secure. please tell me where i'm wrong. a link to further reading would be helpful.

yes XOOPS core is reasonably secure. but reasonably is the keyword there.. XOOPS protector is an essential module if you want more security, and indeed provides other security measures than the core itself provides.

Quote:

i clicked on "solution" and it states, "Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com."

therefore i did not see a resolution to the issue we're discussing at security focus. that's why i asked the question.

there's no solution yet, because the exploit in the core isn't a valid exploit so no solution is necessary.

however the authors of weblinks module, may not even know about the exploit yet in their module, so maybe some1 could slip them a message informing them.. however i don't think the security focus stated the weblinks version number, which in itself might be an older version of that module.. but still the authors need to be aware of the possibility.

eric235u

Not too shy to talk

Posted on: 2007/2/6 19:39

: eric235u (Show more); Not too shy to talk; Posts: 149; Since: 2004/12/19

#9

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 19:39 i'm using weblinks 1.1 on XOOPS 2.2.x by Kazumi Ono. his website no longer is active. i didn't find him on the members module here or on the dev site.

i can't read this:
http://www.hackers.ir/advisories/festival.txt

so i don't know what specific links module he means. i'm shutting my site off from anonymous users until i feel comfortable with the links module.

http://www.newmag.org/

preachur

Just can't stay away

Posted on: 2007/2/6 21:20

: preachur (Show more); Just can't stay away; Posts: 525; Since: 2006/2/4 4

#10

Re: Xoops Multiple Unspecified SQL Injection Vulnerabilities

2007/2/6 21:20 I too am using weblinks 1.1.... some on 2.0.16 and some on 2.2+ sites. I have removed the submit function from the modules. Only admins can add links and not from the client side, only through administration. Hopefully that plugged the hole.

Magick can never be restrained, but when freely given is thrice regained!


Stats
Goal:	$100.00
Due Date:	Mar 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Topic	Author
Re: This has been driving me nuts...	vg2903
Assessment 2.01 Alpha 1 available for testing	Mamba
Re: countdown module for XOOPS 2.5.9 ?	alain01
Re: countdown module for XOOPS 2.5.9 ?	mjoel
Re: A big surprise for 2020	aerograf
Re: A big surprise for 2020	alain01
Re: A big surprise for 2020	aerograf
Re: Adding Main Image in Publisher - Item by same author page	mjoel
Re: Adding Main Image in Publisher - Item by same author page	Mamba
Re: Adding Main Image in Publisher - Item by same author page	mjoel