Xoops RC3 script injection vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


--------------------------------------------
| Xoops RC3 script injection vulnerability |
--------------------------------------------


PROGRAM: Xoops
VENDOR: http://www.xoops.org/
VULNERABLE VERSIONS: RC3.0.4,possibly previous versions
IMMUNE VERSIONS: no immune current versions
SEVERITY: high


Product Description
=================== 
"XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more." dixit vendor website.
It can be found at http://www.xoops.org


Tested version
==============
Xoops RC3.0.4, current version (maybe previous versions are also vulnerables).


Description
============ 
The problem appears when a user post a news, a vulnerability exists in Xoops RC3 that allow a typical IMG attack against visitors :

<IMG SRC="javascript:[javascript]"> 


The problem
=========== 
A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability for example) and if webmasters or moderators don't take care, they will approve the news.


Vendor status
=============
I wanted to inform someone from Xoops.org but the website wasn't available, so I informed the French team. They weren't aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which is not specific to Xoops but with much of scripts.
In future version, a new filter will be inserted in the textsanitizer to avoid even more this risk.


Solution
========
There's no secure release of Xoops, so the unique solution is, at this moment to disable Html in each post, to avoid the problem.


Links
=====
Vendor: http://www.xoops.org
Vendor French team: http://www.frxoops.org

This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=95


------------------------------
David Suzanne (aka dAs)
das@echu.org
http://www.echu.org



Get your free encrypted email at https://www.hushmail.com
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux