Security

Security Patch for XOOPS 2.5.6

Mamba  24-Sep-2013 19:37  8539 reads  11
As always, security is on top of priority list of XOOPS!

Current users of XOOPS 2.5.6 are encouraged to download and apply a Security Patch.

Download: SourceForge File Repository


This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.

While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we recommend strongly to apply this patch to ALL XOOPS 2.5.6 Websites.


It is not enough to stress that you should ALWAYS have Protector installed!!!


How to Apply the Patch:
--------------------------
You will need as minimum PHP 5.3.7

Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website.
No other action is needed.


==============================================
For users of XOOPS Versions older than 2.5.6
==============================================

Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version.

As of today, all XOOPS 2.5.6 versions available for download have been all patched.

Wishing everybody Happy and Safe Xoopsing!

XOOPS Core Team
2013-09-24
Print article
Security

Security Patch for XOOPS 2.5.5

Mamba  24-Jan-2013 01:09  7153 reads  11
Current users of XOOPS 2.5.5 are encouraged to download and apply a Security Patch.

This patch is included in the upcoming XOOPS 2.5.6, which should be released in the next couple of weeks, after the testing of the Beta version is done.

Download: SourceForge File Repository
Print article
Security

Security Patch for XOOPS 2.3.3

Mamba  20-Aug-2009 13:17  11020 reads  21
As discussed previously in forums, there are potential vulnerabilities identified in:

a) PM
b) Protector

modules.

While (a) is addressed by having Protector installed, and (b) is addressed by having "register_globals" disabled and having XOOPS_TRUST_PATH outside of the Document Root, we've addressed the issues in XOOPS 2.4.

However, since we don't know when exactly we'll release XOOPS 2.4, we're releasing this Security Patch for XOOPS 2.3.3 users.

Download: SourceForge XOOPS.

Installation: See the ReadMe.txt file

You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.

Special thanks to Trabis, who addressed these issues.
Print article
Security

Vulnerability in Protector if placed in DocumentRoot

phppp  09-Jan-2009 09:24  14627 reads  10
We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot

This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot

As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.

If you are not allowed to do so, add .htaccess to protect your Protector module:

order deny,allow 
 deny from all

The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.

If .htaccess is not allowed or enabled on your server, turn off global_register on your server.

If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.

Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.
Print article
Security

XOOPS 2.3.2b - Security Release

phppp  07-Dec-2008 12:20  26942 reads  37
The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.

This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.

In the 2.3.2b release we have further improved security fixes with help from DSRG.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.

Download from Sourceforge repository.
Print article
Security

Protector Security Fix for XOOPS 2.0.x and 2.2.x users

Mamba  28-Nov-2008 14:13  8505 reads  14
Security is always the highest priority for XOOPS, and therefore we are releasing Security Updates as soon as we find a viable solution.

This is a temporary quick fix for Protector module, addressing potential local file inclusion vulnerability reported by DSRG. We hope that GIJOE, the author of Protector, will address this issue in future releases.

It is included in XOOPS 2.3.2a Security release, but if you're using Protector on XOOPS 2.0.x or 2.2.x, and your XOOPS_TRUST_PATH is located inside the Root, you are advised to upgrade to the version included in this package.

If your XOOPS_TRUST_PATH is outside of the Root (as you should!), you're not affected by this vulnerability.

For more information on how to make your XOOPS installation more secure, please read this article

Download the fix here

XOOPS Development Team
November 28th, 2008
Print article
Security

XOOPS 2.3.2a - Security Release

phppp  26-Nov-2008 06:40  16560 reads  48
The XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2a

This release is solely for a couple of critical security fixes, including an XSS vulnerability reported by Digital Research Group, potential local file inclusion vulnerability reported by DSG, Autologin bug reported by Dylian and a backward bug in data synchronization reported by boy0917.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the security issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package.

Download from Sourceforge repository.
Print article
Security
The reason for writing this guide is NOT because XOOPS CMS-system isn’t secure enough.

It’s written to give new XOOPS'ers a chance to make, with a few changes, a secure installation even more secure. We believe, that existing users also can use the guide, for securing an already installed XOOP website.

This guide is written for XOOPS version 2.3.3RC as Core-version.

Print article
Security

Security Update for Bluemoon Modules

dashbord  28-Apr-2008 13:52  6687 reads  3
We found XSS valnabirity at our sources.

Backpack v0.91 or before
Bmsurvey v0.84 or before
Newbb_fileup v1.83 or before
News_embed v1.44 ( news_fileup ) or before
Popnupblog v3.19 or before

If you are using those scripts we recommend update immediately.
Jump to vendor site
Print article
Security
As always, XOOPS developers are committed to ensuring the highest security of XOOPS code. The message below comes from Catzwolf:

Quote:

If you are still using WF-Sections v1+ and v2+ then I suggest that you read this please.

It has come to my attention that there is a few very bad security exploits that some people could use to gain access to your website. I suggest that all users of this module should either:

1. Deactivate the module for the time being (recommended) or..
2. Renaming XOOPS_ROOT_PATH/modules/wfsections/ratefile.php and print.php.

I am now in the process of doing a full audit of all the WF-Sections code and closing these and all possible security risks that may arise in the future.

I will keep you all posted on an update.

John (AkA Catzwolf)

To follow the story, please visit our discussion Forum.
Print article
Security

XoopsGallery Module 'init_basic.php' Remote File ...

phppp  10-Jan-2008 03:15  30983 reads  4
XoopsGallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

XoopsGallery 1.3.3.9 has been confirmed vulnerable.

we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module immediately until this issue is solved.

Thank SecurityFocus, Eugene Minaev and Northern .
Print article
Security

vulnerability in phpmailer

phppp  14-Jun-2007 12:37  11208 reads  22
A vulnerability is reported in PHPMailer, which can be exploited by malicious people to compromise a vulnerable system if Sendmail method is enabled.

Although the issue is not critical in XOOPS environment, we would suggest to switch to other methods than Sendmail, or to download quick fixes:
fix for XOOPS 2.0*
fix for XOOPS 2.2*

Note: official response and solutions are still being waited from phpmailer development group, and will be released in XOOPS 2.017 and XOOPS 2.25

Thank GIJOE, irmtfan, vaughan etc for reporting and solutions.
Print article
Security

vulnerability in SPAW editor

phppp  13-Jun-2007 04:05  14404 reads  12
Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.

Module "tinycontent" is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the "modules/tinycontent/admin/spaw/" folder from your server.
Print article
Security
Following a hack on one of our websites, the site hosters have claimed that the hack occured because of insecurity in the Xoops systems.
Print article
Security

Security Hole in XOOPS 2.2 - hotfix available

Mithrandir  28-Jul-2005 07:56  15005 reads  35
We have been made aware of a grave unintended exploitability in XOOPS 2.2 that could reveal your database username and password.

Everybody using XOOPS 2.2, get this hotfix (.zip) | (.tar.gz)
and get it NOW. Upload the contents to your webserver, overwriting the existing files.

To translators: Note that the error message in the system module has changed.
Print article
(1) 2 »


Login

Username:
Password:

Lost Password? Register now!

Who's Online

57 user(s) are online (2 user(s) are browsing Publisher)


Members: 0


Guests: 57


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits

Categories