RSS feed

Security Patch for XOOPS 2.5.6

As always, security is on top of priority list of XOOPS!

Current users of XOOPS 2.5.6 are encouraged to download and apply a Security Patch.

Download: SourceForge File Repository


This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.

While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we recommend strongly to apply this patch to ALL XOOPS 2.5.6 Websites.


It is not enough to stress that you should ALWAYS have Protector installed!!!


How to Apply the Patch:
--------------------------
You will need as minimum PHP 5.3.7

Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website.
No other action is needed.


==============================================
For users of XOOPS Versions older than 2.5.6
==============================================

Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version.

As of today, all XOOPS 2.5.6 versions available for download have been all patched.

Wishing everybody Happy and Safe Xoopsing!

XOOPS Core Team
2013-09-24
Read more... | 11 comments

Security Patch for XOOPS 2.5.5

Current users of XOOPS 2.5.5 are encouraged to download and apply a Security Patch.

This patch is included in the upcoming XOOPS 2.5.6, which should be released in the next couple of weeks, after the testing of the Beta version is done.

Download: SourceForge File Repository
Read more... | 11 comments

Security Patch for XOOPS 2.3.3

As discussed previously in forums, there are potential vulnerabilities identified in:

a) PM
b) Protector

modules.

While (a) is addressed by having Protector installed, and (b) is addressed by having "register_globals" disabled and having XOOPS_TRUST_PATH outside of the Document Root, we've addressed the issues in XOOPS 2.4.

However, since we don't know when exactly we'll release XOOPS 2.4, we're releasing this Security Patch for XOOPS 2.3.3 users.

Download: SourceForge XOOPS.

Installation: See the ReadMe.txt file

You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.

Special thanks to Trabis, who addressed these issues.
Read more... | 21 comments

Vulnerability in Protector if placed in DocumentRoot

We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot

This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot

As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.

If you are not allowed to do so, add .htaccess to protect your Protector module:

le="color: #000000"><?php order deny,allow deny from all

The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.

If .htaccess is not allowed or enabled on your server, turn off global_register on your server.

If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.

Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.
Read more... | 10 comments

XOOPS 2.3.2b - Security Release

The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.

This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.

In the 2.3.2b release we have further improved security fixes with help from DSRG.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.

Download from Sourceforge repository.
Read more... | 10779 bytes more | 37 comments

Protector Security Fix for XOOPS 2.0.x and 2.2.x users

Security is always the highest priority for XOOPS, and therefore we are releasing Security Updates as soon as we find a viable solution.

This is a temporary quick fix for Protector module, addressing potential local file inclusion vulnerability reported by DSRG. We hope that GIJOE, the author of Protector, will address this issue in future releases.

It is included in XOOPS 2.3.2a Security release, but if you're using Protector on XOOPS 2.0.x or 2.2.x, and your XOOPS_TRUST_PATH is located inside the Root, you are advised to upgrade to the version included in this package.

If your XOOPS_TRUST_PATH is outside of the Root (as you should!), you're not affected by this vulnerability.

For more information on how to make your XOOPS installation more secure, please read this article

Download the fix here

XOOPS Development Team
November 28th, 2008
Read more... | 14 comments

XOOPS 2.3.2a - Security Release

The XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2a

This release is solely for a couple of critical security fixes, including an XSS vulnerability reported by Digital Research Group, potential local file inclusion vulnerability reported by DSG, Autologin bug reported by Dylian and a backward bug in data synchronization reported by boy0917.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the security issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package.

Download from Sourceforge repository.
Read more... | 10364 bytes more | 48 comments

A Guide to Make your XOOPS Installation even more secure

The reason for writing this guide is NOT because XOOPS CMS-system isn’t secure enough.

It’s written to give new XOOPS'ers a chance to make, with a few changes, a secure installation even more secure. We believe, that existing users also can use the guide, for securing an already installed XOOP website.

This guide is written for XOOPS version 2.3.3RC as Core-version.

Read more... | 24377 bytes more | 21 comments

Security Update for Bluemoon Modules

We found XSS valnabirity at our sources.

Backpack v0.91 or before
Bmsurvey v0.84 or before
Newbb_fileup v1.83 or before
News_embed v1.44 ( news_fileup ) or before
Popnupblog v3.19 or before

If you are using those scripts we recommend update immediately.
Jump to vendor site
Read more... | 3 comments

WF-Sections V2: New Exploits and Security Issues (Users MUST READ this)

As always, XOOPS developers are committed to ensuring the highest security of XOOPS code. The message below comes from Catzwolf:

Quote:

If you are still using WF-Sections v1+ and v2+ then I suggest that you read this please.

It has come to my attention that there is a few very bad security exploits that some people could use to gain access to your website. I suggest that all users of this module should either:

1. Deactivate the module for the time being (recommended) or..
2. Renaming XOOPS_ROOT_PATH/modules/wfsections/ratefile.php and print.php.

I am now in the process of doing a full audit of all the WF-Sections code and closing these and all possible security risks that may arise in the future.

I will keep you all posted on an update.

John (AkA Catzwolf)

To follow the story, please visit our discussion Forum.
Read more... | 1 comment

XoopsGallery Module 'init_basic.php' Remote File Include Vulnerability

XoopsGallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

XoopsGallery 1.3.3.9 has been confirmed vulnerable.

we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module immediately until this issue is solved.

Thank SecurityFocus, Eugene Minaev and Northern .
Read more... | 4 comments

vulnerability in phpmailer

A vulnerability is reported in PHPMailer, which can be exploited by malicious people to compromise a vulnerable system if Sendmail method is enabled.

Although the issue is not critical in XOOPS environment, we would suggest to switch to other methods than Sendmail, or to download quick fixes:
fix for XOOPS 2.0*
fix for XOOPS 2.2*

Note: official response and solutions are still being waited from phpmailer development group, and will be released in XOOPS 2.017 and XOOPS 2.25

Thank GIJOE, irmtfan, vaughan etc for reporting and solutions.
Read more... | 22 comments

vulnerability in SPAW editor

Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.

Module "tinycontent" is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the "modules/tinycontent/admin/spaw/" folder from your server.
Read more... | 12 comments

Easyhosting to consider withdrawal of support for Xoops

Following a hack on one of our websites, the site hosters have claimed that the hack occured because of insecurity in the Xoops systems.
Read more... | 956 bytes more | 12 comments

Security Hole in XOOPS 2.2 - hotfix available

We have been made aware of a grave unintended exploitability in XOOPS 2.2 that could reveal your database username and password.

Everybody using XOOPS 2.2, get this hotfix (.zip) | (.tar.gz)
and get it NOW. Upload the contents to your webserver, overwriting the existing files.

To translators: Note that the error message in the system module has changed.
Read more... | 35 comments

Security Release: XOOPS 2.0.12a

Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from GulfTech Security Research, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.

Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.

We therefore recommend everyone to upgrade to version 2.0.12a, available from this site.

Upgrade instructions:
1. Download patch
2. Extract patch
3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0)
4. Update System Module
5. That's it
Read more... | 3040 bytes more | 104 comments

Security Bulletin: TURN OFF CUSTOM AVATAR UPLOAD

A vulnerability has been reported in the XOOPS core that allows registered users to upload possibly malicious scripts to the webserver.

The vulnerability is in the upload of custom avatars and until we have complete overview of the consequences and correction of this exploit, we advise all XOOPS site administrators to TURN OFF CUSTOM AVATAR UPLOAD in System Admin -> Preferences -> User Info Settings -> "Allow Custom Avatar Upload"

ALSO, do NOT allow any non-trusted users to upload images through the image manager. i.e. in Administration Menu -> System Admin -> Images edit each and every category to NOT allow uploading by non-trusted usergroups.

We will keep you informed as soon as we have a fix for this exploit.

XOOPS Core Development Team
Read more... | 1823 bytes more | 41 comments

Preventing IE6 from blocking I-stats cookies

I use I-stats, a pretty decent stats module. The thing is that my IE6 keeps flagging up a cookie block from this module and thereby messing up my stats by presenting every pageview as a unique visitor.

I asked around and was unable to get answers in the forum, so I did some research myself. The quick solution?
Read more... | 2306 bytes more | 5 comments

PHLAK 0.2

The PHLAK team over at http://www.phlak.org will be releasing PHLAK 0.2 very soon. PHLAK is a modular live security distribution. It includes tools to perform network analysis, vulberability assessment, mitm attacks, forensics and more. PHLAK has chosen Xoops to be the structural base of their website. Come check us out.
Read more... | 2 comments

Directory traversal vulnerability on Xoops CMS module "tutorials"

Short description:

An attacker can use this flaw to execute arbitrary code of his choice on the remote system, run with the privileges of httpd. The code can be written in any scripting language whose parser is run in the remote system in cooporation with httpd, whether as module or executable.


Details:
Read more... | 1778 bytes more | 5 comments

PHP 4.3.1 released in response to CGI vulnerability

The PHP Group today announced the details of a serious CGI vulnerability in PHP version 4.3.0. A security update, PHP 4.3.1 , fixes the issue. Everyone running affected version of PHP (as CGI) are encouraged to upgrade immediately. The new 4.3.1 release does not include any other changes, so upgrading from 4.3.0 is safe and painless.
Comments?

MySQL 3.23.55 Released

MySQL 3.23.55, a new version of the popular Open Source Database, has been
released. It is now available in source and binary form for a number of
platforms from our download pages at http://www.mysql.com/downloads/ and
mirror sites.

Note that not all mirror sites may be up to date at this point of time -
if you can't find this version on some mirror, please try again later or
choose another download site.
Read more... | 2384 bytes more | Comments?

PHP Buffer Overflow in Wordwrap() Function May Let Remote Users Crash the Server

in: http://www.securitytracker.com/alerts/2002/Dec/1005863.html

SecurityTracker Alert ID: 1005863
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Dec 27 2002

Impact: Denial of service via network, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): after 4.1.2 and before 4.3.0

Description: A buffer overflow vulnerability was reported in PHP. A remote user could cause the web service to crash or possibly execute arbitrary code.

Read more... | 3549 bytes more | Comments?

Security vulnerability in Gallery 1.1, 1.2.x, 1.3

Anybody using Gallery on your site should upgrade it right now. There will be no change to the files included in XOOPS patch for Gallery, so just upgrade your Gallery to the latest version, and apply the XOOPS patch again if you would like to keep using it as an XOOPS module.

Quote:

An alert system administrator for PowerTech an ISP in Norway discovered a security vulnerability in Gallery yesterday. This security hole is a serious one; with it a malicious user can install a backdoor on your system and gain shell access with the same privileges as your webserver user. It's important that you realize that there are malicious people exploiting this bug *right* *now*. Read through to the bottom of this email for a list of IP addresses of sites that we believe may already be hacked, and ways to detect if you've been hacked.

Update: The most secure version of Gallery available is v1.3.1-cvs-b13. Upgrade ASAP.


Source: News at Gallery website


You can also download the patch at http://www.xoops.it/ where you can find some detailed instructions for installing Gallery as a XOOPS module.
Comments?

Security hole in PHP

A security issue was found in all versions of PHP, including 3.x and 4.x versions. If you are running PHP on your server (i'm sure you all here are ), either upgrade your php or install the patch found at php.net. If you can't upgrade your php, because your site is hosted by an ISP, tell them to do so as soon as possible. This is NOT a security hole of XOOPS. It doesn't matter which php script you use on your server, since this is a problem in PHP itself. -- Update -- By BoobToob, Thursday Feb. 28th, 2002 Please read the full text of this artile. I posted the submission from Security Focus that gets very specific about what versions of PHP are affected and how to plug your current holes. I'm sending this to my ISP as we speak. Eric Caldwell aka BoobToob
Read more... | 4759 bytes more | Comments?

"Nukes" Security Hole !!

I run the site GroundZero. A while back it got hacked several times in a row. All that was done was replacing the index so not really a big deal but annoying. I now know how they were able to gain access to my site and they could very easily do it to some of yours...
Read more... | 903 bytes more | Comments?

Remove your install.php!

I checked several sites which uses XOOPS and found out some of them didn't delete the install script. The sites i checked received a email about it. Be warned!

Comments?


Recent Comments

Who's Online

433 user(s) are online (11 user(s) are browsing XOOPS News)


Members: 0


Guests: 433


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits

Archives

News archives