In-Reply-To: <200209241358.g8ODwqx97021@mailserver2.hushmail.com> >-------------------------------------------- >| Xoops RC3 script injection vulnerability | >-------------------------------------------- > > >PROGRAM: Xoops >VENDOR: http://www.xoops.org/ >VULNERABLE VERSIONS: RC3.0.4,possibly previous versions >IMMUNE VERSIONS: no immune current versions >SEVERITY: high > This Is not correct inmune versions : no inmune ?? Xoops settings : admin > system admin > preferences > html OFF (for what do you think that exist this ??) This is not a HOLE in xoops. You are used a bad setting in you site. The next Rc of Xoops have disable totaly the html post for the users only accept bbcode. >Vendor status >============= >I wanted to inform someone from Xoops.org but the website wasn't available, so I informed the French team. They weren't aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which is not specific to Xoops but with much of scripts. >In future version, a new filter will be inserted in the textsanitizer to avoid even more this risk. Nopes we can't add all new vulnerability to the textsanitizer, the solution is more simple, disable totaly the html post for the users. If you add each little vulnerability to the testsanitizer the file go to have 1 mb :-) w4z004 Xoops Spanish Support Xoops dev Team
