Security Release: XOOPS 2.0.12a

Mithrandir  28-Jun-2005 18:08  27955 reads  104
Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from GulfTech Security Research, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.

Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.

We therefore recommend everyone to upgrade to version 2.0.12a, available from this site.

Upgrade instructions:
1. Download patch
2. Extract patch
3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0)
4. Update System Module
5. That's it
Print article


Mithrandir  08-Mar-2005 21:26  25526 reads  41
A vulnerability has been reported in the XOOPS core that allows registered users to upload possibly malicious scripts to the webserver.

The vulnerability is in the upload of custom avatars and until we have complete overview of the consequences and correction of this exploit, we advise all XOOPS site administrators to TURN OFF CUSTOM AVATAR UPLOAD in System Admin -> Preferences -> User Info Settings -> "Allow Custom Avatar Upload"

ALSO, do NOT allow any non-trusted users to upload images through the image manager. i.e. in Administration Menu -> System Admin -> Images edit each and every category to NOT allow uploading by non-trusted usergroups.

We will keep you informed as soon as we have a fix for this exploit.

XOOPS Core Development Team
Print article

Preventing IE6 from blocking I-stats cookies

janmetpet  10-Jun-2004 10:20  5380 reads  5
I use I-stats, a pretty decent stats module. The thing is that my IE6 keeps flagging up a cookie block from this module and thereby messing up my stats by presenting every pageview as a unique visitor.

I asked around and was unable to get answers in the forum, so I did some research myself. The quick solution?
Print article


goonsqad  07-Dec-2003 07:07  13364 reads  2
The PHLAK team over at will be releasing PHLAK 0.2 very soon. PHLAK is a modular live security distribution. It includes tools to perform network analysis, vulberability assessment, mitm attacks, forensics and more. PHLAK has chosen Xoops to be the structural base of their website. Come check us out.
Print article
Short description:

An attacker can use this flaw to execute arbitrary code of his choice on the remote system, run with the privileges of httpd. The code can be written in any scripting language whose parser is run in the remote system in cooporation with httpd, whether as module or executable.

Print article

PHP 4.3.1 released in response to CGI vulnerability

w4z004  18-Feb-2003 11:31  4589 reads  0
The PHP Group today announced the details of a serious CGI vulnerability in PHP version 4.3.0. A security update, PHP 4.3.1 , fixes the issue. Everyone running affected version of PHP (as CGI) are encouraged to upgrade immediately. The new 4.3.1 release does not include any other changes, so upgrading from 4.3.0 is safe and painless.
Print article

MySQL 3.23.55 Released

w4z004  01-Feb-2003 02:44  4662 reads  0
MySQL 3.23.55, a new version of the popular Open Source Database, has been
released. It is now available in source and binary form for a number of
platforms from our download pages at and
mirror sites.

Note that not all mirror sites may be up to date at this point of time -
if you can't find this version on some mirror, please try again later or
choose another download site.
Print article

SecurityTracker Alert ID: 1005863
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Dec 27 2002

Impact: Denial of service via network, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): after 4.1.2 and before 4.3.0

Description: A buffer overflow vulnerability was reported in PHP. A remote user could cause the web service to crash or possibly execute arbitrary code.

Print article

Security vulnerability in Gallery 1.1, 1.2.x, 1.3

onokazu  02-Aug-2002 20:57  4530 reads  0
Anybody using Gallery on your site should upgrade it right now. There will be no change to the files included in XOOPS patch for Gallery, so just upgrade your Gallery to the latest version, and apply the XOOPS patch again if you would like to keep using it as an XOOPS module.


An alert system administrator for PowerTech an ISP in Norway discovered a security vulnerability in Gallery yesterday. This security hole is a serious one; with it a malicious user can install a backdoor on your system and gain shell access with the same privileges as your webserver user. It's important that you realize that there are malicious people exploiting this bug *right* *now*. Read through to the bottom of this email for a list of IP addresses of sites that we believe may already be hacked, and ways to detect if you've been hacked.

Update: The most secure version of Gallery available is v1.3.1-cvs-b13. Upgrade ASAP.

Source: News at Gallery website

You can also download the patch at where you can find some detailed instructions for installing Gallery as a XOOPS module.
Print article

Security hole in PHP

onokazu  28-Feb-2002 13:05  4585 reads  0
A security issue was found in all versions of PHP, including 3.x and 4.x versions. If you are running PHP on your server (i'm sure you all here are ), either upgrade your php or install the patch found at If you can't upgrade your php, because your site is hosted by an ISP, tell them to do so as soon as possible. This is NOT a security hole of XOOPS. It doesn't matter which php script you use on your server, since this is a problem in PHP itself. -- Update -- By BoobToob, Thursday Feb. 28th, 2002 Please read the full text of this artile. I posted the submission from Security Focus that gets very specific about what versions of PHP are affected and how to plug your current holes. I'm sending this to my ISP as we speak. Eric Caldwell aka BoobToob
Print article

"Nukes" Security Hole !!

WildMan  08-Jan-2002 16:48  3742 reads  0
I run the site GroundZero. A while back it got hacked several times in a row. All that was done was replacing the index so not really a big deal but annoying. I now know how they were able to gain access to my site and they could very easily do it to some of yours...
Print article

Remove your install.php!

MasterE  08-Jan-2002 15:41  4268 reads  0
I checked several sites which uses XOOPS and found out some of them didn't delete the install script. The sites i checked received a email about it. Be warned!

Print article
« 1 (2)



Lost Password? Register now!

Who's Online

58 user(s) are online (3 user(s) are browsing Publisher)

Members: 0

Guests: 58



Goal: $100.00
Due Date: Jun 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits