news

Security Patch for XOOPS 2.5.6

Published by Mamba on 24-Sep-2013 19:37 (8251 )
As always, security is on top of priority list of XOOPS!

Current users of XOOPS 2.5.6 are encouraged to download and apply a Security Patch.

Download: SourceForge File Repository


This security patch fixes some potential XSS issues discovered by Mehdi Dadkhah and fixed by Richard Griffith.

While 2.5.6 Websites that have currently installed Protector are safe from this XSS vulnerability, we recommend strongly to apply this patch to ALL XOOPS 2.5.6 Websites.


It is not enough to stress that you should ALWAYS have Protector installed!!!


How to Apply the Patch:
--------------------------
You will need as minimum PHP 5.3.7

Just copy ALL the files from /htdocs folder in this Zip file to your XOOPS Website.
No other action is needed.


==============================================
For users of XOOPS Versions older than 2.5.6
==============================================

Please update AS SOON AS POSSIBLE to XOOPS 2.5.6. As always, the current versions are always the most stable and safest, i.e. older versions might be open to vulnerabilities that has been already fixed in the current version.

As of today, all XOOPS 2.5.6 versions available for download have been all patched.

Wishing everybody Happy and Safe Xoopsing!

XOOPS Core Team
2013-09-24

Security Patch for XOOPS 2.5.5

Published by Mamba on 24-Jan-2013 01:09 (6819 )
Current users of XOOPS 2.5.5 are encouraged to download and apply a Security Patch.

This patch is included in the upcoming XOOPS 2.5.6, which should be released in the next couple of weeks, after the testing of the Beta version is done.

Download: SourceForge File Repository

Security Patch for XOOPS 2.3.3

Published by Mamba on 20-Aug-2009 13:17 (10737 )
As discussed previously in forums, there are potential vulnerabilities identified in:

a) PM
b) Protector

modules.

While (a) is addressed by having Protector installed, and (b) is addressed by having "register_globals" disabled and having XOOPS_TRUST_PATH outside of the Document Root, we've addressed the issues in XOOPS 2.4.

However, since we don't know when exactly we'll release XOOPS 2.4, we're releasing this Security Patch for XOOPS 2.3.3 users.

Download: SourceForge XOOPS.

Installation: See the ReadMe.txt file

You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.

Special thanks to Trabis, who addressed these issues.

Vulnerability in Protector if placed in DocumentRoot

Published by phppp on 09-Jan-2009 09:24 (14444 )
We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot

This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot

As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.

If you are not allowed to do so, add .htaccess to protect your Protector module:

order deny,allow 
 deny from all

The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.

If .htaccess is not allowed or enabled on your server, turn off global_register on your server.

If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.

Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.

XOOPS 2.3.2b - Security Release

Published by phppp on 07-Dec-2008 12:20 (26535 )
The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.

This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.

In the 2.3.2b release we have further improved security fixes with help from DSRG.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.

Download from Sourceforge repository.

Protector Security Fix for XOOPS 2.0.x and 2.2.x users

Published by Mamba on 28-Nov-2008 14:13 (8238 )
Security is always the highest priority for XOOPS, and therefore we are releasing Security Updates as soon as we find a viable solution.

This is a temporary quick fix for Protector module, addressing potential local file inclusion vulnerability reported by DSRG. We hope that GIJOE, the author of Protector, will address this issue in future releases.

It is included in XOOPS 2.3.2a Security release, but if you're using Protector on XOOPS 2.0.x or 2.2.x, and your XOOPS_TRUST_PATH is located inside the Root, you are advised to upgrade to the version included in this package.

If your XOOPS_TRUST_PATH is outside of the Root (as you should!), you're not affected by this vulnerability.

For more information on how to make your XOOPS installation more secure, please read this article

Download the fix here

XOOPS Development Team
November 28th, 2008

XOOPS 2.3.2a - Security Release

Published by phppp on 26-Nov-2008 06:40 (16166 )
The XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2a

This release is solely for a couple of critical security fixes, including an XSS vulnerability reported by Digital Research Group, potential local file inclusion vulnerability reported by DSG, Autologin bug reported by Dylian and a backward bug in data synchronization reported by boy0917.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the security issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package.

Download from Sourceforge repository.

A Guide to Make your XOOPS Installation even more secure

Published by anderssk on 13-Sep-2008 20:35 (13599 )
The reason for writing this guide is NOT because XOOPS CMS-system isn’t secure enough.

It’s written to give new XOOPS'ers a chance to make, with a few changes, a secure installation even more secure. We believe, that existing users also can use the guide, for securing an already installed XOOP website.

This guide is written for XOOPS version 2.3.3RC as Core-version.

Security Update for Bluemoon Modules

Published by dashbord on 28-Apr-2008 13:52 (6462 )
We found XSS valnabirity at our sources.

Backpack v0.91 or before
Bmsurvey v0.84 or before
Newbb_fileup v1.83 or before
News_embed v1.44 ( news_fileup ) or before
Popnupblog v3.19 or before

If you are using those scripts we recommend update immediately.
Jump to vendor site

WF-Sections V2: New Exploits and Security Issues (Users ...

Published by Mamba on 15-Apr-2008 08:03 (7085 )
As always, XOOPS developers are committed to ensuring the highest security of XOOPS code. The message below comes from Catzwolf:

Quote:

If you are still using WF-Sections v1+ and v2+ then I suggest that you read this please.

It has come to my attention that there is a few very bad security exploits that some people could use to gain access to your website. I suggest that all users of this module should either:

1. Deactivate the module for the time being (recommended) or..
2. Renaming XOOPS_ROOT_PATH/modules/wfsections/ratefile.php and print.php.

I am now in the process of doing a full audit of all the WF-Sections code and closing these and all possible security risks that may arise in the future.

I will keep you all posted on an update.

John (AkA Catzwolf)

To follow the story, please visit our discussion Forum.

XoopsGallery Module 'init_basic.php' Remote File ...

Published by phppp on 10-Jan-2008 03:15 (30812 )
XoopsGallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

XoopsGallery 1.3.3.9 has been confirmed vulnerable.

we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module immediately until this issue is solved.

Thank SecurityFocus, Eugene Minaev and Northern .

vulnerability in phpmailer

Published by phppp on 14-Jun-2007 12:37 (11053 )
A vulnerability is reported in PHPMailer, which can be exploited by malicious people to compromise a vulnerable system if Sendmail method is enabled.

Although the issue is not critical in XOOPS environment, we would suggest to switch to other methods than Sendmail, or to download quick fixes:
fix for XOOPS 2.0*
fix for XOOPS 2.2*

Note: official response and solutions are still being waited from phpmailer development group, and will be released in XOOPS 2.017 and XOOPS 2.25

Thank GIJOE, irmtfan, vaughan etc for reporting and solutions.

vulnerability in SPAW editor

Published by phppp on 13-Jun-2007 04:05 (14242 )
Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.

Module "tinycontent" is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the "modules/tinycontent/admin/spaw/" folder from your server.

Easyhosting to consider withdrawal of support for Xoops

Published by chippyash on 03-Jun-2007 22:31 (12985 )
Following a hack on one of our websites, the site hosters have claimed that the hack occured because of insecurity in the Xoops systems.

Security Hole in XOOPS 2.2 - hotfix available

Published by Mithrandir on 28-Jul-2005 07:56 (14828 )
We have been made aware of a grave unintended exploitability in XOOPS 2.2 that could reveal your database username and password.

Everybody using XOOPS 2.2, get this hotfix (.zip) | (.tar.gz)
and get it NOW. Upload the contents to your webserver, overwriting the existing files.

To translators: Note that the error message in the system module has changed.