Security Patch for XOOPS 2.3.3 - Security - XOOPS News

XOOPS

News

News World of XOOPS Developers Hacks Themes Archive Submit News

Security: Security Patch for XOOPS 2.3.3

Posted by: MambaOn 2009/8/20 13:10:00 13409 reads

As discussed previously in forums, there are potential vulnerabilities identified in:

a) PM
b) Protector

modules.

While (a) is addressed by having Protector installed, and (b) is addressed by having "register_globals" disabled and having XOOPS_TRUST_PATH outside of the Document Root, we've addressed the issues in XOOPS 2.4.

However, since we don't know when exactly we'll release XOOPS 2.4, we're releasing this Security Patch for XOOPS 2.3.3 users.

Download: SourceForge XOOPS.

Installation: See the ReadMe.txt file

You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.

Special thanks to Trabis, who addressed these issues.

The comments are owned by the author. We aren't responsible for their content.

Re: Security Patch for XOOPS 2.3.3

bprado Published 08/20/2009 14:16 Not too shy to talk Joined 09/09/2008 Comments 103

When i finish coping the files in the modules dir, should i need to updates the modules??

Re: Security Patch for XOOPS 2.3.3

trabis Published 08/20/2009 14:26 Updated 08/20/2009 14:28 Core Developer Joined 09/01/2006 Comments 2269

Quote:

When i finish coping the files in the modules dir, should i need to updates the modules??

No. Unless you are not using the modules provided in 2.3 release. Well, it will not hurt if you press the update button.

Re: Security Patch for XOOPS 2.3.3

webmystar Published 08/20/2009 16:38 Friend of XOOPS Joined 06/23/2008 Comments 415

Thank you for the Patch!

Re: Security Patch for XOOPS 2.3.3

voltan Published 08/20/2009 16:42 Theme Designer Joined 12/05/2006 Comments 724

one question :
Do you update xoops 2.3.3 pack whit this Patch ?

Re: Security Patch for XOOPS 2.3.3

Mamba Published 08/20/2009 17:47 Moderator Joined 04/23/2004 Comments 11409

Yes, it's already updated on SourceForge.

It might take some time on their mirror sites.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Mamba Published 08/20/2009 21:03 Updated 08/23/2009 20:36 Moderator Joined 04/23/2004 Comments 11409

We had to remove the Profile from the Security Patch, as it was causing incompatibility issues with 2.3.3.

According to Trabis, there was no confirmed Security issue in the Profile, but we've included the 2.4 version because there were few bug fixes that we believed would be beneficial for 2.3.3 users.

However, since it's causing incompatibility issues, if you have already download the Security Patch and it contains Profile, please do NOT copy the /profile over your existing files.

The files on SourceForge have been updated and are now without the Profile.

We apologize for the confusion.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

DonCurioso Published 08/20/2009 21:14 Quite a regular Joined 03/01/2009 Comments 239

Mamba,

what must they do users that applied these patches before correction ?

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Mamba Published 08/20/2009 21:23 Moderator Joined 04/23/2004 Comments 11409

Just copy the Profile from 2.3.3 over the current files.

If you don't have access to the 2.3.3 Profile, please download it from here

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

andrey3761 Published 08/20/2009 21:26 XOOPS Translator Joined 08/21/2008 Comments 234

DonCurioso

To establish the native module of a profile.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

bprado Published 08/20/2009 21:31 Not too shy to talk Joined 09/09/2008 Comments 103

What kind of incompatibility???

i installed and dont see any errors!!

well i make a lazy test.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Mamba Published 08/20/2009 21:33 Updated 08/20/2009 21:34 Moderator Joined 04/23/2004 Comments 11409

Quote:

What kind of incompatibility???

A user couldn't register - he was getting a blank page. Basically profile uses authentication system that was introuduced on 2.4, and we overlooked that.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

andrey3761 Published 08/20/2009 21:38 XOOPS Translator Joined 08/21/2008 Comments 234

You can download Russian localisation of modules PM and Protector on this references.
http://xoops.radio-hobby.org/modules/news/article.php?storyid=70
In the same place full Russian translation XOOPS 2.4.0 Beta 1 in charset UTF-8

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Mamba Published 08/20/2009 21:49 Moderator Joined 04/23/2004 Comments 11409

Andrey, do you have access to SVN on SourceForge?

We have there place for languages, incl. Russian, so maybe you could keep it up to date there?

Would you be willing to help?

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

andrey3761 Published 08/20/2009 22:11 Updated 08/20/2009 22:12 XOOPS Translator Joined 08/21/2008 Comments 234

Mamba:
I do not have access to SVN on SourceForge.
I can help with Russian localisation. If will give access and tell as with it to work.

Forgive for my English .

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Mamba Published 08/20/2009 22:22 Moderator Joined 04/23/2004 Comments 11409

Andrey, just become a member on SourceForge (http://www.sourceforge.net), and then let me know your user name there.

We'll take it from there.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

andrey3761 Published 08/20/2009 22:52 XOOPS Translator Joined 08/21/2008 Comments 234

Mamba:
Has sent user name in PM.

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

barryc Published 08/21/2009 18:20 Updated 08/21/2009 18:29 Just can't stay away Joined 03/20/2004 Comments 480

Well, I just applied the patch to my live site and now I can't access the admin pages. I get a white screen. I can't turn on debug because of that. Fortunately I backed up before uploading and overwriting the files in PM and Protector and I didn't do an update. I'm about to overwrite those folders again with the old files.

[Update] I have now copied the old PM and Protector folders back to my site and I can see the admin pages again. I have a copy of my site that I use for testing. If you want me to I can try this update again on that site, having turned on debug first to see if I can identify the problem. Let me know.

barryC

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

trabis Published 08/21/2009 18:33 Core Developer Joined 09/01/2006 Comments 2269

Did you upload protector files to xoops_lib?

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

barryc Published 08/21/2009 19:28 Just can't stay away Joined 03/20/2004 Comments 480

I thought I followed the readme exactly but now I'm not sure. Let me try it again. Nobody else has reported it so I probably did something wrong. Too many projects going on at once here.

I'll report back.

BC

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

barryc Published 08/21/2009 19:36 Just can't stay away Joined 03/20/2004 Comments 480

OK. I repeated the update and it's working fine. Obviously either I did something wrong (the most likely) or the upload didn't complete, or some such thing.

My apologies for wasting your time.

barryC

Re: Security Patch for XOOPS 2.3.3

DuGris Published 08/22/2009 17:49 Core Developer Joined 03/14/2004 Comments 67

The new package of XOOPS 2.3.3 in French are available in download here

Login

Username

Password

Remember me

Search

Advanced Search

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}

Security: Security Patch for XOOPS 2.3.3

Re: Security Patch for XOOPS 2.3.3

Re: Security Patch for XOOPS 2.3.3

Re: Security Patch for XOOPS 2.3.3

Re: Security Patch for XOOPS 2.3.3

Re: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: IMPORTANT: Security Patch for XOOPS 2.3.3

Re: Security Patch for XOOPS 2.3.3

Login

Search

Recent Comments

Re: New Admin Theme for XOOPS (Beta)

Sanford Pharmacy: Exceptional Pharmacy Services Tailored to You

Re: New Admin Theme for XOOPS (Beta)

Re: XOOPS 2.5.12 Beta-2 available for Testing

Re: XOOPS 2.5.12 Beta-2 available for Testing

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

Archives

News archives