XOOPS Security Advisory - XOOPS - XOOPS News - XOOPS Web Application System

XOOPS

News

News World of XOOPS Developers Hacks Themes Archive Submit News

XOOPS: XOOPS Security Advisory

Posted by: BoobtoobOn 2002/12/19 22:08:38 12191 reads

A security vulnerability within the Visitors 2 module has been brought to our attention.

The XOOPS team would ask that anyone using this module, please discontinue it's usage by deactivating it and removing the Vistors 2 module from your system completely. The vulnerability makes it possible for someone without any privileges to execute rouge php code on the host system compromising security. As an example, we were handed a sample of our etc/passwd file.

We apologize for any inconvenience this might cause but we strongly advise discontinuing using this module. Since this is not an official XOOPS module, it has been depreciated for the upcoming XOOPS 2 release.

Thanks,
XOOPS Team

Note: This vulerability is not possible if allow_url_fopen is set to 0 (the default is 1) in the php.ini file.

The comments are owned by the author. We aren't responsible for their content.

Re: XOOPS Security Advisory

Neon Published 12/19/2002 22:50 Not too shy to talk Joined 02/08/2002 Comments 138

Are there any plans to fix this problem or are you planning to replace this mod with a better one in 1.7.3 ??

I hate using public hit counters as your data is spread all over the net and anyone can see it

Re: XOOPS Security Advisory

sunsnapper Published 12/19/2002 22:55 Friend of XOOPS Joined 04/10/2002 Comments 403

Quote:

As an example, we were handed a sample of our etc/passwd file.

I assume you have changed your passwords.

Just for fun, I changed my password here at xoops.org, not that it probably matters.

Re: XOOPS Security Advisory

Boobtoob Published 12/20/2002 0:51 Friend of XOOPS Joined 12/22/2001 Comments 202

There are no plans to rectify this since it's depreciated in 2.0.

Re: XOOPS Security Advisory

onokazu Published 12/20/2002 0:57 XOOPS Founder Joined 12/13/2001 Comments 617

No, we will not be going to create nor replace it with another one in the future versions. But as an alternative, you may want to try phlogger at phpee.com with which you can have a really detailed log data by only embedding a few lines of codes in your custom block...it doesn't even need to be a module...and looks a lot better than Visiteurs in my opinion.

Re: XOOPS Security Advisory

npetreley Published 12/20/2002 1:30 Just popping in Joined 12/09/2002 Comments 15

Just an FYI, the term is deprecated (no longer the approved method). Depreciated means to lower in estimation or esteem. I guess that's also true of the module, but it's not the customary term for this.

Re: XOOPS Security Advisory

Boobtoob Published 12/20/2002 1:45 Friend of XOOPS Joined 12/22/2001 Comments 202

Just read it over.. your right.. damn spell checkers!

Re: XOOPS Security Advisory

malbrecht Published 12/20/2002 11:30 Just popping in Joined 12/08/2002 Comments 3

Actually, as I wrote a few days ago in my email, the current XOOPS system allows ANYONE on a shared server (running at least ONE XOOPS installation) that does NOT use safe_mode to output any information from any XOOPS installation on that server, if he only is allowed to include php code (which would be the case if you are a customer with your own php allowance). This is a well known problem with all projects that use server writable directories from which files are included without checking the content.

Re: XOOPS Security Advisory

Jerricho Published 12/20/2002 15:38 Just popping in Joined 09/11/2002 Comments 19

I doubt this is a problem on IIS Servers since there is no /etc/passwd file to sniff.

Or am I wrong in thinking so?

Re: XOOPS Security Advisory

kitsou Published 12/20/2002 22:30 Just popping in Joined 03/19/2002 Comments 50

phlogger at phpee.com

I tried it and I like it. With great joy I deleted visitors2. I always thought visitors2 is a bit crappy, but now I'm quite sure.

Thanks Onokazu for this advice.

Although I would not suggest to create a special custom block. I use the "who is online block" and pasted the code in . This block is visible to all my visitors on all pages. Any already existing block will do as long as all groups have permission to view it and the block is on all pages...

The counter himself is not visible but you can make him visible if you want to.

The stats generated by phlogger are very powerful. You never regret having deleted visitors2.

Re: XOOPS Security Advisory

aod Published 12/20/2002 22:59 Just popping in Joined 12/15/2002 Comments 13

I can't seem to make this thing work. Could you write a short tutorial for us having troubles, kitsou?

Btw, very nice theme on your site! Where did you get it? Can I have it too?

Thanks.

Re: XOOPS Security Advisory

kitsou Published 12/21/2002 17:50 Just popping in Joined 03/19/2002 Comments 50

Tutorial ? To install the software simply read the doc. It sometimes helps a lot. There is also a support forum onhttp://www.phpee.com/
available, but I did not have to use it, because I read the doc.

Theme?
Use the search funktion and type EADJ

Re: XOOPS Security Advisory

torwill Published 12/22/2002 4:14 Just popping in Joined 10/09/2002 Comments 1

any other possible way to fix this problem? if users refuse to remove the package?!!!

Re: XOOPS Security Advisory

aod Published 12/22/2002 11:41 Just popping in Joined 12/15/2002 Comments 13

Somebody fix this module or develop pphlogger as a XOOPS mod pls. We need stats for our websites. Thanks.

Re: XOOPS Security Advisory

w4z004 Published 12/22/2002 12:11 XOOPS Advisor Joined 12/13/2001 Comments 340

-http://top.addfreestats.com/infos.html

-http://www.stats4all.com/asp/index.asp

-http://www.nedstat.com/f31_index.htm

-http://www.counted.com/

online stats sites.

Re: XOOPS Security Advisory

Strider Published 12/22/2002 19:27 Just popping in Joined 09/30/2002 Comments 8

The comment on shared servers isn't completely true. There are shared servers that have a system of "jailing" a site, to where they have their own set of software as though they really have their own server. They can never reach the / of the server unless they su to a superuser with those priveleges because their / is actually something else.

However, users within a "jailed" site might still very well have this vulnerability to other users of that same "jailed" site.

Login

Username

Password

Remember me

Search

Advanced Search

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}

XOOPS: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Re: XOOPS Security Advisory

Login

Search

Recent Comments

Re: XOOPS 2.5.11 Final Released

Re: XOOPS 2.5.11 Final Released

Re: XOOPS 2.5.11 Final Released

Re: XOOPS 2.5.11 Final Released

Re: XOOPS 2.5.11 Final Released

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

Archives

News archives