news
RSS feed

XoopsGallery Module 'init_basic.php' Remote File Include Vulnerability

XoopsGallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

XoopsGallery 1.3.3.9 has been confirmed vulnerable.

we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module immediately until this issue is solved.

Thank SecurityFocus, Eugene Minaev and Northern .
Read more... | 4 comments

vulnerability in phpmailer

A vulnerability is reported in PHPMailer, which can be exploited by malicious people to compromise a vulnerable system if Sendmail method is enabled.

Although the issue is not critical in XOOPS environment, we would suggest to switch to other methods than Sendmail, or to download quick fixes:
fix for XOOPS 2.0*
fix for XOOPS 2.2*

Note: official response and solutions are still being waited from phpmailer development group, and will be released in XOOPS 2.017 and XOOPS 2.25

Thank GIJOE, irmtfan, vaughan etc for reporting and solutions.
Read more... | 22 comments

vulnerability in SPAW editor

Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.

Module "tinycontent" is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the "modules/tinycontent/admin/spaw/" folder from your server.
Read more... | 12 comments

Easyhosting to consider withdrawal of support for Xoops

Following a hack on one of our websites, the site hosters have claimed that the hack occured because of insecurity in the Xoops systems.
Read more... | 960 bytes more | 12 comments

Security Hole in XOOPS 2.2 - hotfix available

We have been made aware of a grave unintended exploitability in XOOPS 2.2 that could reveal your database username and password.

Everybody using XOOPS 2.2, get this hotfix (.zip) | (.tar.gz)
and get it NOW. Upload the contents to your webserver, overwriting the existing files.

To translators: Note that the error message in the system module has changed.
Read more... | 35 comments

Security Release: XOOPS 2.0.12a

Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from GulfTech Security Research, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.

Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.

We therefore recommend everyone to upgrade to version 2.0.12a, available from this site.

Upgrade instructions:
1. Download patch
2. Extract patch
3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0)
4. Update System Module
5. That's it
Read more... | 2986 bytes more | 104 comments

Security Bulletin: TURN OFF CUSTOM AVATAR UPLOAD

A vulnerability has been reported in the XOOPS core that allows registered users to upload possibly malicious scripts to the webserver.

The vulnerability is in the upload of custom avatars and until we have complete overview of the consequences and correction of this exploit, we advise all XOOPS site administrators to TURN OFF CUSTOM AVATAR UPLOAD in System Admin -> Preferences -> User Info Settings -> "Allow Custom Avatar Upload"

ALSO, do NOT allow any non-trusted users to upload images through the image manager. i.e. in Administration Menu -> System Admin -> Images edit each and every category to NOT allow uploading by non-trusted usergroups.

We will keep you informed as soon as we have a fix for this exploit.

XOOPS Core Development Team
Read more... | 1805 bytes more | 41 comments

Preventing IE6 from blocking I-stats cookies

I use I-stats, a pretty decent stats module. The thing is that my IE6 keeps flagging up a cookie block from this module and thereby messing up my stats by presenting every pageview as a unique visitor.

I asked around and was unable to get answers in the forum, so I did some research myself. The quick solution?
Read more... | 2288 bytes more | 5 comments

PHLAK 0.2

The PHLAK team over at www.phlak.org will be releasing PHLAK 0.2 very soon. PHLAK is a modular live security distribution. It includes tools to perform network analysis, vulberability assessment, mitm attacks, forensics and more. PHLAK has chosen Xoops to be the structural base of their website. Come check us out.
Read more... | 2 comments

Directory traversal vulnerability on Xoops CMS module "tutorials"

Short description:

An attacker can use this flaw to execute arbitrary code of his choice on the remote system, run with the privileges of httpd. The code can be written in any scripting language whose parser is run in the remote system in cooporation with httpd, whether as module or executable.


Details:
Read more... | 1843 bytes more | 5 comments
« 1 (2) 3 »