Re: Xoops RC3 script injection vulnerability
Xoops settings : admin system admin preferences html OFF (for what do you think that exist this ??) The webmaster must do it himself, I said that if he doesn't make care, some code will be insert. That's why I called it vulnerability and not hole as you said (there's a difference). Nopes we can't add all new vulnerability to the textsanitizer, But that's what the french team tell me by mail. And you can also see it on this link: http://www.frxoops.org/modules/news/article.php?storyid=576. So if XOOPS team gives wrong informations, I'm not responsible for this kind of error. dAs http://www.echu.org
Re: Xoops RC3 script injection vulnerability
In-Reply-To: [EMAIL PROTECTED] | Xoops RC3 script injection vulnerability | PROGRAM: Xoops VENDOR: http://www.xoops.org/ VULNERABLE VERSIONS: RC3.0.4,possibly previous versions IMMUNE VERSIONS: no immune current versions SEVERITY: high This Is not correct inmune versions : no inmune ?? Xoops settings : admin system admin preferences html OFF (for what do you think that exist this ??) This is not a HOLE in xoops. You are used a bad setting in you site. The next Rc of Xoops have disable totaly the html post for the users only accept bbcode. Vendor status = I wanted to inform someone from Xoops.org but the website wasn't available, so I informed the French team. They weren't aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which is not specific to Xoops but with much of scripts. In future version, a new filter will be inserted in the textsanitizer to avoid even more this risk. Nopes we can't add all new vulnerability to the textsanitizer, the solution is more simple, disable totaly the html post for the users. If you add each little vulnerability to the testsanitizer the file go to have 1 mb :-) w4z004 Xoops Spanish Support Xoops dev Team
Re: Xoops RC3 script injection vulnerability fixed
In-Reply-To: [EMAIL PROTECTED] RC3.0.5 is released to fix a security vulnerability recently posted on Bugtraq ML. Overview === There was a vunerability when a user previews/submits a news in the News module, HTML tags were allowed to process. Solution === All users are strongly recommended to download the following packages and upgrade to this version. [b][u][size=large]New Users[/size][/u][/b] [url=http://www.xoops.org/modules/mydownloads/viewcat.php?cid=16]Download Full RC3.0.5 Package[/url] [b][u][size=large]RC3.0.4 Users[/size][/u][/b] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=232] Download RC3.0.4-RC3.0.5 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=231] Download RC3.0.4-RC3.0.5 Upgrade Package (tar.gz)[/url] [b][u][size=large]RC3.0.3 Users[/size][/u][/b] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=187] Download RC3.0.3-RC3.0.4 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=232] Download RC3.0.4-RC3.0.5 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=186] Download RC3.0.3-RC3.0.4 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=231] Download RC3.0.4-RC3.0.5 Upgrade Package (tar.gz)[/url] [b][u][size=large]RC3.0.2 Users[/size][/u][/b] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=173] Download RC3.0.2-RC3.0.3 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=187] Download RC3.0.3-RC3.0.4 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=232] Download RC3.0.4-RC3.0.5 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=172] Download RC3.0.2-RC3.0.3 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=186] Download RC3.0.3-RC3.0.4 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=231] Download RC3.0.4-RC3.0.5 Upgrade Package (tar.gz)[/url] [b][u][size=large]RC3.0.1 Users[/size][/u][/b] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=167] Download RC3.0.1-RC3.0.2 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=173] Download RC3.0.2-RC3.0.3 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=187] Download RC3.0.3-RC3.0.4 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=232] Download RC3.0.4-RC3.0.5 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=160] Download RC3.0.1-RC3.0.2 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=172] Download RC3.0.2-RC3.0.3 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=186] Download RC3.0.3-RC3.0.4 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=231] Download RC3.0.4-RC3.0.5 Upgrade Package (tar.gz)[/url] [b][u][size=large]RC3.0.0 Users[/size][/u][/b] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=161] Download RC3.0.0-RC3.0.1 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=167] Download RC3.0.1-RC3.0.2 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=173] Download RC3.0.2-RC3.0.3 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=187] Download RC3.0.3-RC3.0.4 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=232] Download RC3.0.4-RC3.0.5 Upgrade Package (zip)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=168] Download RC3.0.0-RC3.0.1 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=160] Download RC3.0.1-RC3.0.2 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=172] Download RC3.0.2-RC3.0.3 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=186] Download RC3.0.3-RC3.0.4 Upgrade Package (tar.gz)[/url] [url=http://www.xoops.org/modules/mydownloads/singlefile.php?lid=231] Download RC3.0.4-RC3.0.5 Upgrade Package (tar.gz)[/url] Note == From this release, users are not allowed to use HTML tags when posting news/comments. As for forum posts, users can still use HTML as long as HTML tags are enabled in the posting forum. However, we advise you to always disable HTML posts in forums as well.
Xoops RC3 script injection vulnerability
| Xoops RC3 script injection vulnerability | PROGRAM: Xoops VENDOR: http://www.xoops.org/ VULNERABLE VERSIONS: RC3.0.4,possibly previous versions IMMUNE VERSIONS: no immune current versions SEVERITY: high Product Description === XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more. dixit vendor website. It can be found at http://www.xoops.org Tested version == Xoops RC3.0.4, current version (maybe previous versions are also vulnerables). Description The problem appears when a user post a news, a vulnerability exists in Xoops RC3 that allow a typical IMG attack against visitors : IMG SRC=javascript:[javascript] The problem === A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability for example) and if webmasters or moderators don't take care, they will approve the news. Vendor status = I wanted to inform someone from Xoops.org but the website wasn't available, so I informed the French team. They weren't aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which is not specific to Xoops but with much of scripts. In future version, a new filter will be inserted in the textsanitizer to avoid even more this risk. Solution There's no secure release of Xoops, so the unique solution is, at this moment to disable Html in each post, to avoid the problem. Links = Vendor: http://www.xoops.org Vendor French team: http://www.frxoops.org This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=95 -- David Suzanne (aka dAs) [EMAIL PROTECTED] http://www.echu.org Get your free encrypted email at https://www.hushmail.com