Although the issue is not critical in XOOPS environment, we would suggest to switch to other methods than Sendmail, or to download quick fixes: fix for XOOPS 2.0* fix for XOOPS 2.2*
Note: official response and solutions are still being waited from phpmailer development group, and will be released in XOOPS 2.017 and XOOPS 2.25
Thank GIJOE, irmtfan, vaughan etc for reporting and solutions.
Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.
Module "tinycontent" is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the "modules/tinycontent/admin/spaw/" folder from your server.
Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from GulfTech Security Research, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.
Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.
We therefore recommend everyone to upgrade to version 2.0.12a, available from this site.
Upgrade instructions: 1. Download patch 2. Extract patch 3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0) 4. Update System Module 5. That's it
A vulnerability has been reported in the XOOPS core that allows registered users to upload possibly malicious scripts to the webserver.
The vulnerability is in the upload of custom avatars and until we have complete overview of the consequences and correction of this exploit, we advise all XOOPS site administrators to TURN OFF CUSTOM AVATAR UPLOAD in System Admin -> Preferences -> User Info Settings -> "Allow Custom Avatar Upload"
ALSO, do NOT allow any non-trusted users to upload images through the image manager. i.e. in Administration Menu -> System Admin -> Images edit each and every category to NOT allow uploading by non-trusted usergroups.
We will keep you informed as soon as we have a fix for this exploit.
I use I-stats, a pretty decent stats module. The thing is that my IE6 keeps flagging up a cookie block from this module and thereby messing up my stats by presenting every pageview as a unique visitor.
I asked around and was unable to get answers in the forum, so I did some research myself. The quick solution?
The PHLAK team over at www.phlak.org will be releasing PHLAK 0.2 very soon. PHLAK is a modular live security distribution. It includes tools to perform network analysis, vulberability assessment, mitm attacks, forensics and more. PHLAK has chosen Xoops to be the structural base of their website. Come check us out.
Directory traversal vulnerability on Xoops CMS module "tutorials"
Short description:
An attacker can use this flaw to execute arbitrary code of his choice on the remote system, run with the privileges of httpd. The code can be written in any scripting language whose parser is run in the remote system in cooporation with httpd, whether as module or executable.