XOOPS Web Application System

Security Patch for XOOPS 2.5.6

Tue, 24 Sep 2013 19:40:00 +0000

As always, security is on top of priority list of XOOPS!

Current users of XOOPS 2.5.6 are encouraged to download and apply a Security Patch.

Download: SourceForge File Repository

This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.

While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we recommend strongly to apply this patch to ALL XOOPS 2.5.6 Websites.

It is not enough to stress that you should ALWAYS have Protector installed!!!

How to Apply the Patch:
--------------------------
You will need as minimum PHP 5.3.7

Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website.
No other action is needed.

==============================================
For users of XOOPS Versions older than 2.5.6
==============================================

Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version.

As of today, all XOOPS 2.5.6 versions available for download have been all patched.

Wishing everybody Happy and Safe Xoopsing!

XOOPS Core Team
2013-09-24

Security Patch for XOOPS 2.5.5

Thu, 24 Jan 2013 01:09:00 +0000

Current users of XOOPS 2.5.5 are encouraged to download and apply a Security Patch.

This patch is included in the upcoming XOOPS 2.5.6, which should be released in the next couple of weeks, after the testing of the Beta version is done.

Download: SourceForge File Repository

Security Patch for XOOPS 2.3.3

Thu, 20 Aug 2009 13:10:00 +0000

As discussed previously in forums, there are potential vulnerabilities identified in:

a) PM
b) Protector

modules.

While (a) is addressed by having Protector installed, and (b) is addressed by having "register_globals" disabled and having XOOPS_TRUST_PATH outside of the Document Root, we've addressed the issues in XOOPS 2.4.

However, since we don't know when exactly we'll release XOOPS 2.4, we're releasing this Security Patch for XOOPS 2.3.3 users.

Download: SourceForge XOOPS.

Installation: See the ReadMe.txt file

You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.

Special thanks to Trabis, who addressed these issues.

Vulnerability in Protector if placed in DocumentRoot

Fri, 09 Jan 2009 09:30:00 +0000

We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot

This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot

As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.

If you are not allowed to do so, add .htaccess to protect your Protector module:

 orderÂ deny,allowÂ  
Â denyÂ fromÂ all

The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.

If .htaccess is not allowed or enabled on your server, turn off global_register on your server.

If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.

Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.

XOOPS 2.3.2b - Security Release

Sun, 07 Dec 2008 12:10:00 +0000

The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.

This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.

In the 2.3.2b release we have further improved security fixes with help from DSRG.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.

Download from Sourceforge repository.

Protector Security Fix for XOOPS 2.0.x and 2.2.x users

Fri, 28 Nov 2008 14:10:00 +0000

Security is always the highest priority for XOOPS, and therefore we are releasing Security Updates as soon as we find a viable solution.

This is a temporary quick fix for Protector module, addressing potential local file inclusion vulnerability reported by DSRG. We hope that GIJOE, the author of Protector, will address this issue in future releases.

It is included in XOOPS 2.3.2a Security release, but if you're using Protector on XOOPS 2.0.x or 2.2.x, and your XOOPS_TRUST_PATH is located inside the Root, you are advised to upgrade to the version included in this package.

If your XOOPS_TRUST_PATH is outside of the Root (as you should!), you're not affected by this vulnerability.

For more information on how to make your XOOPS installation more secure, please read this article

Download the fix here

XOOPS Development Team
November 28th, 2008

XOOPS 2.3.2a - Security Release

Wed, 26 Nov 2008 06:30:00 +0000

The XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2a

This release is solely for a couple of critical security fixes, including an XSS vulnerability reported by Digital Research Group, potential local file inclusion vulnerability reported by DSG, Autologin bug reported by Dylian and a backward bug in data synchronization reported by boy0917.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the security issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package.

Download from Sourceforge repository.

A Guide to Make your XOOPS Installation even more secure

Sat, 13 Sep 2008 20:30:00 +0000

The reason for writing this guide is NOT because XOOPS CMS-system isnât secure enough.

Itâs written to give new XOOPS'ers a chance to make, with a few changes, a secure installation even more secure. We believe, that existing users also can use the guide, for securing an already installed XOOP website.

This guide is written for XOOPS version 2.3.3RC as Core-version.

Security Update for Bluemoon Modules

Mon, 28 Apr 2008 15:20:00 +0000

We found XSS valnabirity at our sources.

Backpack v0.91 or before
Bmsurvey v0.84 or before
Newbb_fileup v1.83 or before
News_embed v1.44 ( news_fileup ) or before
Popnupblog v3.19 or before

If you are using those scripts we recommend update immediately.
Jump to vendor site

WF-Sections V2: New Exploits and Security Issues (Users MUST READ this)

Tue, 15 Apr 2008 08:00:00 +0000

As always, XOOPS developers are committed to ensuring the highest security of XOOPS code. The message below comes from Catzwolf:

Quote:

If you are still using WF-Sections v1+ and v2+ then I suggest that you read this please.

It has come to my attention that there is a few very bad security exploits that some people could use to gain access to your website. I suggest that all users of this module should either:

1. Deactivate the module for the time being (recommended) or..
2. Renaming XOOPS_ROOT_PATH/modules/wfsections/ratefile.php and print.php.

I am now in the process of doing a full audit of all the WF-Sections code and closing these and all possible security risks that may arise in the future.

I will keep you all posted on an update.

John (AkA Catzwolf)

To follow the story, please visit our discussion Forum.