Re: vulnerability in SPAW editorI can confirm this. Remove the Spaw directory.
Re: vulnerability in SPAW editorCould these kind of news articles be posted on the frontpage of Xoops.org. Specially because alot of people use this module on their site. Just a thought;)
Re: vulnerability in SPAW editor and another oneIt would be usefull to have such lerts on xoops.org. If a site is working fine, admin may not login very often.
But you are rigt - it will be nice to have it there (in admin) too...
In short is this related? http://xoops.peak.ne.jp/modules/news/index.php?page=article&storyid=398
And here is another one: command injection of phpmailer in XOOPS:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=431
And what abot FCK http://xoops.peak.ne.jp/modules/news/index.php?page=article&storyid=396
Last What about security team that will investigate reports, help with fixes for core/modules, write good practice papers(for XOOPS, modules, web servers ...) and try to hack core/modules and fix them in order to make XOOPS more secure
Re: vulnerability in SPAW editorHi all
I also can confirm this.
I had 2 sites atacked.
They could use your server to send TONS of spamĀ“s.
Re: vulnerability in SPAW editorgot hacked by this too 
Re: vulnerability in SPAW editorthe problem is the spaw_control.class.php
DELETE IT!!!!
Re: vulnerability in SPAW editorQuote:
A more useful thing - and this is a practical suggestion for the core team ... is to send a security update every time they log into their admin area. People don't have to return to this site when they're set up - but people would have to read that...
I already disabled version notification in Zen Cart because I had a raft of demands to upgrade as soon as the new version came out. Upgrades should be the webmaster's decision. They shouldn't be pressurised into it because a client has been panicked by a version 'warning' or a security scare. As long as xoops.org continue to highlight issues like this promptly, webmasters can keep up to speed on security issues. Users can subscribe to the security news category and receive email notifications of new articles. If they don't bother, that's their problem.
Re: vulnerability in SPAW editorMy site just got hit for this
Tinycontent 1.5
hosting provider
mentioned spaw_control.class.php
Re: vulnerability in SPAW editorQuote:
Users can subscribe to the security news category and receive email notifications of new articles.
Re: vulnerability in SPAW editorAccording to the National Vulnerability Database, XOOPS modules affected by the spaw_control.class.php vulnerability include:
Tiny Content
XT-Contuedo
CJay Content
This is beacause they include the old Spaw version 1.0.
According to Secunia, the issue is resolved by upgrading Spaw to version > 1.0.4.
http://secunia.com/advisories/10451/
Solmetra (the makers of Spaw) recommend upgrading to 1.2.4.
See this advisory
The current version of Spaw is 2.0.4.1.
Re: vulnerability in SPAW editorAs well as the modules listed above, Spaw 1.0 is also present in:
Wordpress ME
Xoopseditor Framework 1.2
If you use this editor, it may be straightforward to upgrade simply by replacing the Spaw folder?.
| Stats | |
| Goal: | $15.00 |
| Due Date: | Oct 31 |
| Gross Amount: | $0.00 |
| Net Balance: | $0.00 |
| Left to go: | $15.00 |
 |
|
