Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included) [Module usage questions]

1

Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 3:38
Kent
Just popping in
Posts: 15
Since: 2002/4/19

This is a heads up for anyone who has "lastposts" module installed on their XOOPS system. There is a major security flaw that allows people to post raw html to the rendered page displaying anything they want. I'm going to pick this module appart to see what I can do to fix it, but if someone else would like to help I'm not a very good PHP developer and would love any help I can get. If I can, I would like to change the module so it's ready for Xoops2.0.6 complete with templates.

You've been informed... hopefully none of the web sites are hacked with this module installed.

2

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 11:00
Anonymous
Posts: 0
Since:

Orgin and myself pulled together a quick patch which fixes this ( we think! ).

The problem seems to be the topic itself is not safed so HTML can be put in there and all sorts.

It looks like the author of the moduled intended to safe it, but didn't get around it.

In the index.php for the module you will need to drop these lines in:

$topic_title = $myts->makeTboxData4Show($arr["topic_title"]);
echo "  <a href='".XOOPS_URL."/modules/newbb/viewtopic.php?topic_id=" . $arr["topic_id"] . "&forum=" . $arr["forum_id"] . "'>".$topic_title."</a>";

To replace

echo "  <a href='".XOOPS_URL."/modules/newbb/viewtopic.php?topic_id=" . $arr["topic_id"] . "&forum=" . $arr["forum_id"] . "'>".$arr["topic_title"]."</a>";

Regards

DaveP of AmigaWorld.net

3

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 11:58
Wayne
Just popping in
Posts: 35
Since: 2002/2/13

Dave,

Thanks for the help, but you must be running a different version than we have. The text above is not in the version we have at all. As a matter of fact, the text you suggest already is in there (verbatim) so I would presume that you might want to do a little testing. Sounds like yours is still hackable.

Wayne

4

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 12:01
Society
Not too shy to talk
Posts: 178
Since: 2002/1/10

hey i was an amiga user, too.:)
you know? smsengineers mui :) it was my proggy.... coded in blitzbasic :)

5

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 12:02
Anonymous
Posts: 0
Since:

Wayne

No problem. This patches our version for the exploit that Kent describes, the former is the patching text and the latter is the text that needs patching.

If you guys can put some test cases up there we can see what might still be exposed, I hear rumours of being able to inject and inspect the database, but haven't been able to reproduce that at all on our XOOPS.

Regards

Dave.

6

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 12:11
Wayne
Just popping in
Posts: 35
Since: 2002/2/13

The version we started with was; "Modified 07.10.2002" (The CVS info says version 1.1) and doesn't include the "former text". It does already include your proposed fix, so I'm presuming that you guys are running a different version than we are. In any event, the fact that your proposed fix is identical to what we're already running means that there's still a very big problem on your site.

I don't think anyone here wants us to publicly post how their site can be easily destroyed (if they're running the lastposts module), so I'm sure if you ask Kent privately, he'll be glad to describe it.

Hopefully you're not affected, in which case I'd ask that you consider mailing me a copy of that module (which seems to be abandoned by the author).

Wayne

7

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 12:16
Anonymous
Posts: 0
Since:

Wayne

We have the same module. Although that could be someone not putting up change history!

The former text is the patch, the latter text is what is already there in the module.

Dave.

8

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 12:19
Wayne
Just popping in
Posts: 35
Since: 2002/2/13

Dave,

Sorry about that. I misread your original post as saying the "former" (first) text was that which had to be replaced with the latter. That's what I get for waking up at 5:30 am on a Friday morning.

Let us test and I'll get back to you.

9

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 12:26
Anonymous
Posts: 0
Since:

Wayne

Absolutely no problem whatsoever. Ive got flu so I probably didn't explain myself too well

Dave.

10

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

2004/2/13 13:58
Wayne
Just popping in
Posts: 35
Since: 2002/2/13

Dave

1) Hope you get to feeling better
2) The hack seems to have cleared up the immediate issue, though was more difficult for me running both X1 and X2 (on our dev site). Thanks.

Everyone else: Evaluate and apply the patch above to the index.php for your lastposts module as quickly as possible. Using the unmodified module, it is possible to do really nasty things to both your site and the machines of your visitors. I know that *I* am amazed that no one else caught this major security hole in two years.

Kent and I will be working on taking over the Lastposts module for XOOPS 2.x, unless we hear of someone else doing it first. The programming for XOOPS 2.x is much more convoluted and hard to follow, so it may take a while for us to get our bearings between Family, work, and school (all of which take precedence).

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Re: Last Posts v1.0 -- WARNING! (Xoops1 & Xoops2 included)

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}