<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
    <channel>
        <title>XOOPS Web Application System</title>
        <link>https://xoops.org/</link>
        <description>Powered by You!</description>
        <lastBuildDate>Fri, 17 Jul 2026 00:29:23 +0000</lastBuildDate>
        <docs>https://backend.userland.com/rss/</docs>
        <generator>XOOPS</generator>
        <category>Security</category>
        <managingEditor>webmaster at xoops dot org</managingEditor>
        <webMaster>webmaster at xoops dot org</webMaster>
        <language>en</language>
                    <image>
                <title>XOOPS Web Application System</title>
                <url>https://xoops.org/images/logo.gif</url>
                <link>https://xoops.org/</link>
                <width>144</width>
                <height>48</height>
            </image>
                            <item>
                <title>Security Patch for XOOPS 2.5.6</title>
                <link>https://xoops.org/modules/news/article.php?storyid=6545</link>
                <description>As always, security is on top of priority list of XOOPS! &lt;br&gt;&lt;br&gt;Current users of &lt;strong&gt;XOOPS 2.5.6&lt;/strong&gt; are encouraged to download and apply a Security Patch. &lt;br&gt;&lt;br&gt;&lt;strong&gt;Download: &lt;a href=&quot;http://sourceforge.net/projects/xoops/files/XOOPS%20Core%20Patches/xoops_2.5.6_SecurityPatch_htdocs.zip/download&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;SourceForge File Repository&lt;/a&gt;&lt;/strong&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.&lt;br&gt;&lt;br&gt;While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we &lt;span style=&quot;text-decoration: underline;&quot;&gt;&lt;strong&gt;recommend strongly&lt;/strong&gt;&lt;/span&gt; to &lt;span style=&quot;text-decoration: underline;&quot;&gt;&lt;strong&gt;apply this patch to ALL XOOPS 2.5.6 Websites&lt;/strong&gt;&lt;/span&gt;. &lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;&lt;strong&gt;It is not enough to stress that you should ALWAYS have Protector installed!!!&lt;/strong&gt;&lt;/span&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;strong&gt;How to Apply the Patch:&lt;/strong&gt;&lt;br&gt;--------------------------&lt;br&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;&lt;strong&gt;You will need as minimum PHP 5.3.7&lt;/strong&gt;&lt;/span&gt;&lt;br&gt;&lt;br&gt;Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website. &lt;br&gt;No other action is needed.&lt;br&gt;&lt;br&gt;&lt;br&gt;==============================================&lt;br&gt;&lt;strong&gt;For users of XOOPS Versions older than 2.5.6&lt;/strong&gt;&lt;br&gt;==============================================&lt;br&gt;&lt;br&gt;Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version. &lt;br&gt;&lt;br&gt;As of today, all XOOPS 2.5.6 versions available for download have been all patched. &lt;br&gt;&lt;br&gt;Wishing everybody Happy and Safe Xoopsing! &lt;br&gt;&lt;br&gt;&lt;strong&gt;XOOPS Core Team&lt;br&gt;2013-09-24&lt;/strong&gt;</description>
                <pubDate>Tue, 24 Sep 2013 19:40:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=6545</guid>
            </item>
                    <item>
                <title>Security Patch for XOOPS 2.5.5</title>
                <link>https://xoops.org/modules/news/article.php?storyid=6430</link>
                <description>Current users of XOOPS 2.5.5 are encouraged to download and apply a &lt;a href=&quot;http://sourceforge.net/projects/xoops/files/XOOPS%20Core%20Patches/xoops_2.5.5_SecurityPatch_htdocs.zip/download&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;&lt;strong&gt;Security Patch&lt;/strong&gt;&lt;/a&gt;. &lt;br&gt;&lt;br&gt;This patch is included in the upcoming &lt;a href=&quot;https://xoops.org/modules/news/article.php?storyid=6429&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;&lt;strong&gt;XOOPS 2.5.6&lt;/strong&gt;&lt;/a&gt;, which should be released in the next couple of weeks, after the testing of the Beta version is done. &lt;br&gt;&lt;br&gt;&lt;strong&gt;Download: &lt;/strong&gt;&lt;a href=&quot;http://sourceforge.net/projects/xoops/files/XOOPS%20Core%20Patches/xoops_2.5.5_SecurityPatch_htdocs.zip/download&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;SourceForge File Repository&lt;/a&gt;</description>
                <pubDate>Thu, 24 Jan 2013 01:09:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=6430</guid>
            </item>
                    <item>
                <title>Security Patch for XOOPS 2.3.3</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4961</link>
                <description>As discussed previously in forums, there are potential vulnerabilities identified in:&lt;br&gt;&lt;br&gt;a) &lt;a href=&quot;https://xoops.org/modules/newbb/viewtopic.php?topic_id=69057&amp;forum=2&amp;post_id=315019#forumpost315019&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;PM &lt;/a&gt; &lt;br&gt;b) &lt;a href=&quot;https://xoops.org/modules/newbb/viewtopic.php?topic_id=68771&amp;forum=2&amp;post_id=312866#forumpost312866&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;Protector &lt;/a&gt;&lt;br&gt;&lt;br&gt;modules.&lt;br&gt;&lt;br&gt;While (a) is addressed by having Protector installed, and (b) is addressed by having &quot;register_globals&quot; disabled and having XOOPS_TRUST_PATH outside of the Document Root, we&apos;ve addressed the issues in XOOPS 2.4. &lt;br&gt;&lt;br&gt;However, since we don&apos;t know when exactly we&apos;ll release XOOPS 2.4, we&apos;re releasing this Security Patch for XOOPS 2.3.3 users.&lt;br&gt;&lt;br&gt;&lt;strong&gt;Download:&lt;/strong&gt; &lt;a href=&quot;http://sourceforge.net/projects/xoops/files/XOOPS%20Core%20Patches/xoops_2.3.3_SecurityPatch_htdocs.zip/download&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;SourceForge XOOPS&lt;/a&gt;. &lt;br&gt;&lt;br&gt;&lt;strong&gt;Installation:&lt;/strong&gt; See the ReadMe.txt file&lt;br&gt;&lt;br&gt;You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.&lt;br&gt;&lt;br&gt;Special thanks to Trabis, who addressed these issues.</description>
                <pubDate>Thu, 20 Aug 2009 13:10:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4961</guid>
            </item>
                    <item>
                <title>Vulnerability in Protector if placed in DocumentRoot</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4601</link>
                <description>We&apos;ve been made aware of a &lt;a href=&quot;http://www.securityfocus.com/bid/33176&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;vulnerability of the Protector, if placed in the DocumentRoot&lt;/a&gt; &lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot&lt;/span&gt;&lt;br&gt;&lt;br&gt;As we&apos;ve always communicated to you (e.g. in this article &lt;a href=&quot;https://xoops.org/modules/news/article.php?storyid=4431&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;A Guide to Make your XOOPS Installation even more secure&lt;/a&gt;), the best solution is to place your &lt;em&gt;&lt;strong&gt;xoops_lib&lt;/strong&gt;&lt;/em&gt; folder outside of webroot path. You should also change the name of &lt;em&gt;&lt;strong&gt;xoops_lib&lt;/strong&gt;&lt;/em&gt; to something different, and modify the mainfile.php accordingly.&lt;br&gt;&lt;br&gt;If you are not allowed to do so, add .htaccess to protect your Protector module:&lt;br&gt;&lt;br&gt;&lt;div class=&quot;xoopsCode&quot;&gt;le=&quot;color: #000000&quot;&gt;&lt;span style=&quot;color: #0000BB&quot;&gt;&amp;lt;?php order deny&lt;/span&gt;&lt;span style=&quot;color: #007700&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #0000BB&quot;&gt;allow deny from all&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;br&gt;The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.&lt;br&gt;&lt;br&gt;If .htaccess is not allowed or enabled on your server, turn off &lt;em&gt;global_register&lt;/em&gt; on your server.&lt;br&gt;&lt;br&gt;If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.&lt;br&gt;&lt;br&gt;Of course, the best scenario would be to have clean and safe code. Unfortunately, we&apos;ve missed this security bug, but we&apos;re working on the solution and will release it soon.</description>
                <pubDate>Fri, 09 Jan 2009 09:30:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4601</guid>
            </item>
                    <item>
                <title>XOOPS 2.3.2b  -  Security Release</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4563</link>
                <description>The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of &lt;strong&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;XOOPS 2.3.2b&lt;/span&gt;&lt;/strong&gt;, an improved XOOPS 2.3.x release.&lt;br&gt;&lt;br&gt;This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.&lt;br&gt;&lt;br&gt;In the 2.3.2b release we have further improved security fixes with help from DSRG.&lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;&lt;strong&gt;All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.&lt;/strong&gt;&lt;/span&gt;&lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #CC0000;&quot;&gt;XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here.&lt;/span&gt; However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.&lt;br&gt;&lt;br&gt;&lt;strong&gt;Download from &lt;a href=&quot;https://sourceforge.net/project/showfiles.php?group_id=41586&amp;package_id=153583&amp;release_id=643845&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;Sourceforge repository&lt;/a&gt;.&lt;/strong&gt;</description>
                <pubDate>Sun, 07 Dec 2008 12:10:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4563</guid>
            </item>
                    <item>
                <title>Protector Security Fix for XOOPS 2.0.x and 2.2.x users</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4544</link>
                <description>Security is always the highest priority for XOOPS, and therefore we are releasing Security Updates as soon as we find a viable solution.&lt;br&gt;&lt;br&gt;This is a temporary quick fix for &lt;strong&gt;&lt;a href=&quot;https://xoops.org/modules/repository/singlefile.php?cid=59&amp;lid=1687&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;Protector&lt;/a&gt;&lt;/strong&gt; module, addressing potential local file inclusion vulnerability reported by DSRG. We hope that GIJOE, the author of Protector, will address this issue in future releases.&lt;br&gt;&lt;br&gt;&lt;strong&gt;It is included in XOOPS 2.3.2a Security release, but if you&apos;re using Protector on XOOPS 2.0.x or 2.2.x, and your XOOPS_TRUST_PATH is located inside the Root, you are advised to upgrade to the version included in this package.&lt;/strong&gt;&lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #CC0000;&quot;&gt;If your XOOPS_TRUST_PATH is outside of the Root (as you should!), you&apos;re not affected by this vulnerability.&lt;/span&gt; &lt;br&gt;&lt;br&gt;For more information on how to make your XOOPS installation more secure, please &lt;a href=&quot;https://xoops.org/modules/news/article.php?storyid=4431&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;read this article&lt;/a&gt;&lt;br&gt;&lt;br&gt;Download the fix &lt;a href=&quot;http://internap.dl.sourceforge.net/sourceforge/xoops/xoops2-mod_xoopsprotector_v3.20cFix.zip&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;here&lt;/a&gt;&lt;br&gt;&lt;br&gt;XOOPS Development Team&lt;br&gt;November 28th, 2008</description>
                <pubDate>Fri, 28 Nov 2008 14:10:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4544</guid>
            </item>
                    <item>
                <title>XOOPS 2.3.2a  -  Security Release</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4540</link>
                <description>The XOOPS Development Team is pleased to announce the release of &lt;strong&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;XOOPS 2.3.2a&lt;/span&gt;&lt;/strong&gt;&lt;br&gt;&lt;br&gt;This release is solely for a couple of critical security fixes, including an XSS vulnerability reported by Digital Research Group, potential local file inclusion vulnerability reported by DSG, Autologin bug reported by Dylian and a backward bug in data synchronization reported by boy0917.&lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #FF0000;&quot;&gt;&lt;strong&gt;All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.&lt;/strong&gt;&lt;/span&gt;&lt;br&gt;&lt;br&gt;&lt;span style=&quot;color: #CC0000;&quot;&gt;XOOPS 2.0 and 2.2 versions are not vulnerable to the security issues addressed here.&lt;/span&gt; However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package.&lt;br&gt;&lt;br&gt;&lt;strong&gt;Download from &lt;a href=&quot;https://sourceforge.net/project/showfiles.php?group_id=41586&amp;package_id=153583&amp;release_id=643010&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;Sourceforge repository&lt;/a&gt;.&lt;/strong&gt;</description>
                <pubDate>Wed, 26 Nov 2008 06:30:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4540</guid>
            </item>
                    <item>
                <title>A Guide to Make your XOOPS Installation even more secure</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4431</link>
                <description>The reason for writing this guide is &lt;/span&gt;&lt;span lang=&quot;en-US&quot; style=&quot;font-size: small&quot;&gt;&lt;strong&gt;NOT &lt;/strong&gt;&lt;/span&gt;&lt;span style=&quot;font-size: small; &quot;&gt;because XOOPS CMS-system isnât secure enough.&lt;/span&gt;&lt;span style=&quot;font-size: small;&quot;&gt; &lt;p&gt;&lt;span lang=&quot;en-US&quot;&gt;Itâs written to give new XOOPS&apos;ers a chance to make, with a few changes, a secure installation even more secure. We believe, that existing users also can use the guide, for securing an already installed XOOP website.&lt;br /&gt;&lt;br /&gt;This guide is written for XOOPS version 2.3.3RC as Core-version.&lt;span style=&quot;font-size: x-small; color: #000080;&quot;&gt;</description>
                <pubDate>Sat, 13 Sep 2008 20:30:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4431</guid>
            </item>
                    <item>
                <title>Security Update for Bluemoon Modules</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4235</link>
                <description>We found XSS valnabirity at our sources.&lt;br&gt;&lt;br&gt;Backpack v0.91 or before&lt;br&gt;Bmsurvey v0.84 or before&lt;br&gt;Newbb_fileup v1.83 or before&lt;br&gt;News_embed v1.44 ( news_fileup ) or before&lt;br&gt;Popnupblog v3.19 or before&lt;br&gt;&lt;br&gt;If you are using those scripts we recommend update immediately.&lt;br&gt;&lt;a href=&quot;http://www.bluemooninc.biz/~xoops2/modules/news/article.php?storyid=33&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;Jump to vendor site&lt;/a&gt;</description>
                <pubDate>Mon, 28 Apr 2008 15:20:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4235</guid>
            </item>
                    <item>
                <title>WF-Sections V2: New Exploits and Security Issues (Users MUST READ this)</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4220</link>
                <description>As always, XOOPS developers are committed to ensuring the highest security of XOOPS code. The message below comes from Catzwolf:&lt;br&gt;&lt;br&gt;Quote:&lt;div class=&quot;xoopsQuote&quot;&gt;&lt;blockquote&gt;&lt;br&gt;If you are still using WF-Sections v1+ and v2+ then I suggest that you read this please.&lt;br&gt;&lt;br&gt;It has come to my attention that there is a few very bad security exploits that some people could use to gain access to your website. I suggest that all users of this module should either:&lt;br&gt;&lt;br&gt;1. Deactivate the module for the time being (recommended) or..&lt;br&gt;2. Renaming XOOPS_ROOT_PATH/modules/wfsections/ratefile.php and print.php.&lt;br&gt;&lt;br&gt;I am now in the process of doing a full audit of all the WF-Sections code and closing these and all possible security risks that may arise in the future.&lt;br&gt;&lt;br&gt;I will keep you all posted on an update.&lt;br&gt;&lt;br&gt;John (AkA Catzwolf)&lt;/blockquote&gt;&lt;/div&gt;&lt;br&gt;To follow the story, please visit &lt;a href=&quot;https://xoops.org/modules/newbb/viewtopic.php?post_id=287148#forumpost287148&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;our discussion Forum&lt;/a&gt;.</description>
                <pubDate>Tue, 15 Apr 2008 08:00:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4220</guid>
            </item>
                    <item>
                <title>XoopsGallery Module &apos;init_basic.php&apos; Remote File Include Vulnerability</title>
                <link>https://xoops.org/modules/news/article.php?storyid=4093</link>
                <description>XoopsGallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.&lt;br&gt;&lt;br&gt;XoopsGallery 1.3.3.9 has been confirmed vulnerable.&lt;br&gt;&lt;br&gt;we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module &lt;strong&gt;immediately&lt;/strong&gt; until this issue is solved.&lt;br&gt;&lt;br&gt;Thank SecurityFocus, Eugene Minaev and &lt;a href=&quot;https://xoops.org/userinfo.php?uid=28579&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;Northern&lt;/a&gt; .</description>
                <pubDate>Fri, 11 Jan 2008 15:18:07 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=4093</guid>
            </item>
                    <item>
                <title>vulnerability in phpmailer</title>
                <link>https://xoops.org/modules/news/article.php?storyid=3801</link>
                <description>&lt;a href=&quot;http://sourceforge.net/tracker/index.php?func=detail&amp;aid=1734811&amp;group_id=26031&amp;atid=385707&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;A vulnerability is reported in PHPMailer&lt;/a&gt;, which can be exploited by malicious people to compromise a vulnerable system if Sendmail method is enabled.&lt;br&gt;&lt;br&gt;Although the issue is not critical in XOOPS environment, we would suggest to switch to other methods than Sendmail, or to download quick fixes:&lt;br&gt;&lt;a href=&quot;http://xoopsforge.com/mailer/xoops20-phpmailer.zip&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;fix for XOOPS 2.0*&lt;/a&gt;&lt;br&gt;&lt;a href=&quot;http://xoopsforge.com/mailer/xoops22-phpmailer.zip&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;fix for XOOPS 2.2*&lt;/a&gt;&lt;br&gt;&lt;br&gt;Note: official response and solutions are still being waited from phpmailer development group, and will be released in XOOPS 2.017 and XOOPS 2.25&lt;br&gt;&lt;br&gt;Thank GIJOE, irmtfan, vaughan etc for reporting and solutions.</description>
                <pubDate>Thu, 14 Jun 2007 12:37:52 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=3801</guid>
            </item>
                    <item>
                <title>vulnerability in SPAW editor</title>
                <link>https://xoops.org/modules/news/article.php?storyid=3799</link>
                <description>Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.&lt;br&gt;&lt;br&gt;Module &quot;tinycontent&quot; is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the &quot;modules/tinycontent/admin/spaw/&quot; folder from your server.</description>
                <pubDate>Wed, 13 Jun 2007 04:05:22 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=3799</guid>
            </item>
                    <item>
                <title>Easyhosting to consider withdrawal of support for Xoops</title>
                <link>https://xoops.org/modules/news/article.php?storyid=3787</link>
                <description>Following a hack on one of our websites, the site hosters have claimed that the hack occured because of insecurity in the Xoops systems.</description>
                <pubDate>Sun, 03 Jun 2007 23:39:42 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=3787</guid>
            </item>
                    <item>
                <title>Security Hole in XOOPS 2.2 - hotfix available</title>
                <link>https://xoops.org/modules/news/article.php?storyid=2459</link>
                <description>We have been made aware of a grave unintended exploitability in XOOPS 2.2 that could reveal your database username and password.&lt;br&gt;&lt;br&gt;Everybody using XOOPS 2.2, get this hotfix &lt;a href=&quot;http://prdownloads.sourceforge.net/xoops/XOOPS_2.2_Hotfix280705.zip?download&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;(.zip)&lt;/a&gt; | &lt;a href=&quot;http://prdownloads.sourceforge.net/xoops/XOOPS_2.2_Hotfix280705.tar.gz?download&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;(.tar.gz)&lt;/a&gt;&lt;br&gt;and get it NOW. Upload the contents to your webserver, overwriting the existing files.&lt;br&gt;&lt;br&gt;To translators: Note that the error message in the system module has changed.</description>
                <pubDate>Thu, 28 Jul 2005 07:56:51 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=2459</guid>
            </item>
                    <item>
                <title>Security Release: XOOPS 2.0.12a</title>
                <link>https://xoops.org/modules/news/article.php?storyid=2383</link>
                <description>Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from &lt;a href=&quot;http://gulftech.org/&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;GulfTech Security Research&lt;/a&gt;, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.&lt;br&gt;&lt;br&gt;Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.&lt;br&gt;&lt;br&gt;We therefore recommend everyone to upgrade to &lt;strong&gt;version 2.0.12a&lt;/strong&gt;, available from this site.&lt;br&gt;&lt;br&gt;&lt;strong&gt;Upgrade instructions:&lt;/strong&gt;&lt;br&gt;1. Download patch&lt;br&gt;2. Extract patch&lt;br&gt;3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0)&lt;br&gt;4. Update System Module&lt;br&gt;5. That&apos;s it</description>
                <pubDate>Tue, 28 Jun 2005 18:10:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=2383</guid>
            </item>
                    <item>
                <title>Security Bulletin: TURN OFF CUSTOM AVATAR UPLOAD</title>
                <link>https://xoops.org/modules/news/article.php?storyid=2114</link>
                <description>A vulnerability has been reported in the XOOPS core that allows registered users to upload possibly malicious scripts to the webserver.&lt;br&gt;&lt;br&gt;The vulnerability is in the upload of custom avatars and until we have complete overview of the consequences and correction of this exploit, we advise all XOOPS site administrators to TURN OFF CUSTOM AVATAR UPLOAD in System Admin -&amp;gt; Preferences -&amp;gt; User Info Settings -&amp;gt; &amp;quot;Allow Custom Avatar Upload&amp;quot;&lt;br&gt;&lt;br&gt;ALSO, do NOT allow any non-trusted users to upload images through the image manager. i.e. in Administration Menu -&amp;gt; System Admin -&amp;gt; Images edit each and every category to NOT allow uploading by non-trusted usergroups. &lt;br&gt;&lt;br&gt;We will keep you informed as soon as we have a fix for this exploit.&lt;br&gt;&lt;br&gt;XOOPS Core Development Team</description>
                <pubDate>Tue, 08 Mar 2005 07:30:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=2114</guid>
            </item>
                    <item>
                <title>Preventing IE6 from blocking I-stats cookies</title>
                <link>https://xoops.org/modules/news/article.php?storyid=1536</link>
                <description>I use I-stats, a pretty decent stats module. The thing is that my IE6 keeps flagging up a cookie block from this module and thereby messing up my stats by presenting every pageview as a unique visitor.&lt;br&gt;&lt;br&gt;I asked around and was unable to get answers in the forum, so I did some research myself. The quick solution?</description>
                <pubDate>Thu, 10 Jun 2004 13:14:28 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=1536</guid>
            </item>
                    <item>
                <title>PHLAK 0.2</title>
                <link>https://xoops.org/modules/news/article.php?storyid=1159</link>
                <description>The PHLAK team over at &lt;a href=&quot;http://www.phlak.org&quot; target=&quot;_blank&quot; rel=&quot;external noopener nofollow&quot;&gt;http://www.phlak.org&lt;/a&gt; will be releasing PHLAK 0.2 very soon. PHLAK is a modular live security distribution. It includes tools to perform network analysis, vulberability assessment, mitm attacks, forensics and more. PHLAK has chosen Xoops to be the structural base of their website. Come check us out.</description>
                <pubDate>Sun, 07 Dec 2003 11:22:48 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=1159</guid>
            </item>
                    <item>
                <title>Directory traversal vulnerability on Xoops CMS module &quot;tutorials&quot;</title>
                <link>https://xoops.org/modules/news/article.php?storyid=844</link>
                <description>Short description: &lt;br&gt;&lt;br&gt;An attacker can use this flaw to execute arbitrary code of his choice on the remote system, run with the privileges of httpd. The code can be written in any scripting language whose parser is run in the remote system in cooporation with httpd, whether as module or executable.&lt;br&gt;&lt;br&gt;&lt;br&gt;Details:</description>
                <pubDate>Sun, 15 Jun 2003 14:42:46 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=844</guid>
            </item>
                    <item>
                <title>PHP 4.3.1 released in response to CGI vulnerability</title>
                <link>https://xoops.org/modules/news/article.php?storyid=659</link>
                <description>The PHP Group today announced the details of a serious &lt;a href=&quot;http://www.php.net/release_4_3_1.php&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;CGI vulnerability&lt;/a&gt; in PHP version 4.3.0. A security update, &lt;a href=&quot;http://www.php.net/downloads.php&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;PHP 4.3.1&lt;/a&gt; , fixes the issue. Everyone running affected version of PHP (as CGI) are encouraged to upgrade immediately. The new 4.3.1 release does not include any other changes, so upgrading from 4.3.0 is safe and painless. &lt;br&gt;</description>
                <pubDate>Tue, 18 Feb 2003 11:31:09 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=659</guid>
            </item>
                    <item>
                <title>MySQL 3.23.55 Released</title>
                <link>https://xoops.org/modules/news/article.php?storyid=628</link>
                <description>MySQL 3.23.55, a new version of the popular Open Source Database, has been&lt;br&gt;released. It is now available in source and binary form for a number of&lt;br&gt;platforms from our download pages at &lt;a href=&quot;http://www.mysql.com/downloads/&quot; target=&quot;_blank&quot; rel=&quot;external noopener nofollow&quot;&gt;http://www.mysql.com/downloads/&lt;/a&gt; and&lt;br&gt;mirror sites.&lt;br&gt;&lt;br&gt;Note that not all mirror sites may be up to date at this point of time -&lt;br&gt;if you can&apos;t find this version on some mirror, please try again later or&lt;br&gt;choose another download site.&lt;br&gt;</description>
                <pubDate>Sat, 01 Feb 2003 02:44:10 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=628</guid>
            </item>
                    <item>
                <title>PHP Buffer Overflow in Wordwrap() Function May Let Remote Users Crash the Server</title>
                <link>https://xoops.org/modules/news/article.php?storyid=586</link>
                <description>in: &lt;a href=&quot;http://www.securitytracker.com/alerts/2002/Dec/1005863.html&quot; target=&quot;_blank&quot; rel=&quot;external noopener nofollow&quot;&gt;http://www.securitytracker.com/alerts/2002/Dec/1005863.html&lt;/a&gt;&lt;br&gt;&lt;br&gt;SecurityTracker Alert ID: 1005863 &lt;br&gt;CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) &lt;br&gt;Date: Dec 27 2002 &lt;br&gt; &lt;br&gt;Impact: Denial of service via network, Execution of arbitrary code via network, User access via network&lt;br&gt; &lt;br&gt;Fix Available: Yes Vendor Confirmed: Yes &lt;br&gt; &lt;br&gt;Version(s): after 4.1.2 and before 4.3.0 &lt;br&gt; &lt;br&gt;Description: A buffer overflow vulnerability was reported in PHP. A remote user could cause the web service to crash or possibly execute arbitrary code. &lt;br&gt; &lt;br&gt;</description>
                <pubDate>Tue, 31 Dec 2002 09:41:00 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=586</guid>
            </item>
                    <item>
                <title>Security vulnerability in Gallery 1.1, 1.2.x, 1.3</title>
                <link>https://xoops.org/modules/news/article.php?storyid=362</link>
                <description>Anybody using Gallery on your site should upgrade it right now. There will be no change to the files included in &lt;a href=&quot;https://xoops.org/modules/mydownloads/singlefile.php?lid=165&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;XOOPS patch for Gallery&lt;/a&gt;, so just upgrade your Gallery to the latest version, and apply the XOOPS patch again if you would like to keep using it as an XOOPS module.&lt;br&gt;&lt;br&gt;Quote:&lt;div class=&quot;xoopsQuote&quot;&gt;&lt;blockquote&gt;&lt;br&gt;An alert system administrator for PowerTech an ISP in Norway discovered a security vulnerability in Gallery yesterday. This security hole is a serious one; with it a malicious user can install a backdoor on your system and gain shell access with the same privileges as your webserver user. It&apos;s important that you realize that there are malicious people exploiting this bug *right* *now*. Read through to the bottom of this email for a list of IP addresses of sites that we believe may already be hacked, and ways to detect if you&apos;ve been hacked.&lt;br&gt;&lt;br&gt;Update: The most secure version of Gallery available is v1.3.1-cvs-b13. Upgrade ASAP.&lt;br&gt;&lt;/blockquote&gt;&lt;/div&gt;&lt;br&gt;&lt;br&gt;Source: &lt;a href=&quot;http://gallery.menalto.com/modules.php?op=modload&amp;name=News&amp;file=article&amp;sid=50&amp;mode=thread&amp;order=0&amp;thold=0&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;News at Gallery website&lt;/a&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;You can also download the patch at &lt;a href=&quot;http://www.digilogo.net/xoops/modules/mydownloads/singlefile.php?lid=43&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;&lt;a href=&quot;http://www.xoops.it/&quot; target=&quot;_blank&quot; rel=&quot;external noopener nofollow&quot;&gt;http://www.xoops.it/&lt;/a&gt;&lt;/a&gt; where you can find some detailed instructions for installing Gallery as a XOOPS module.</description>
                <pubDate>Fri, 02 Aug 2002 20:57:08 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=362</guid>
            </item>
                    <item>
                <title>Security hole in PHP</title>
                <link>https://xoops.org/modules/news/article.php?storyid=163</link>
                <description>A security issue was found in all versions of PHP, including 3.x and 4.x versions. If you are running PHP on your server (i&apos;m sure you all here are &lt;img class=&quot;imgsmile&quot; src=&quot;https://xoops.org/uploads/smil42e7a65fee35d.gif&quot; alt=&quot;&quot; /&gt;), either upgrade your php or install the patch found at &lt;a href=&quot;http://www.php.net/&quot; rel=&quot;noopener external&quot; title=&quot;&quot;&gt;php.net&lt;/a&gt;. If you can&apos;t upgrade your php, because your site is hosted by an ISP, tell them to do so as soon as possible. This is NOT a security hole of XOOPS. It doesn&apos;t matter which php script you use on your server, since this is a problem in PHP itself. -- Update -- By BoobToob, Thursday Feb. 28th, 2002 Please read the full text of this artile. I posted the submission from &lt;a href=http://online.securityfocus.com/archive/1/258662&gt;Security Focus&lt;/a&gt; that gets very specific about what versions of PHP are affected and how to plug your current holes. I&apos;m sending this to my ISP as we speak. Eric Caldwell aka BoobToob</description>
                <pubDate>Thu, 28 Feb 2002 13:05:19 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=163</guid>
            </item>
                    <item>
                <title>&quot;Nukes&quot; Security Hole !!</title>
                <link>https://xoops.org/modules/news/article.php?storyid=39</link>
                <description>I run the site &lt;a href=http://groundzero.xtremeoverclockers.com target=blank&gt;GroundZero&lt;/a&gt;. A while back it got hacked several times in a row. All that was done was replacing the index so not really a big deal but annoying. I now know how they were able to gain access to my site and they could very easily do it to some of yours... </description>
                <pubDate>Thu, 10 Jan 2002 01:33:26 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=39</guid>
            </item>
                    <item>
                <title>Remove your install.php!</title>
                <link>https://xoops.org/modules/news/article.php?storyid=37</link>
                <description>I checked several sites which uses XOOPS and found out some of them didn&apos;t delete the install script. The sites i checked received a email about it. Be warned!&lt;br&gt;&lt;br&gt;</description>
                <pubDate>Tue, 08 Jan 2002 15:55:31 +0000</pubDate>
                <guid>https://xoops.org/modules/news/article.php?storyid=37</guid>
            </item>
            </channel>
</rss>
