Get XOOPS XOOPS FAQ Forums News Themes Modules
News World of XOOPS Developers Hacks Modules Themes Archive Submit News
XOOPS Giftshop XOOPS Blue Move
Share

XOOPS vs. Herko Coomans

Make a donation

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


Search


Advanced Search

Local Support Sites

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Google GUI hacks instant-zero jQuery module news Nordic Olédrion oxygen PageRank security SEO simple-XOOPS sport tag Theme wiki xoops
more...

New Users

Registering user

# 96574

audriusr

Welcome to XOOPS!

Archives

News Archives

XOOPS Code hosted on SourceForge

XOOPS 2.0.13 Security Release

Posted by Mithrandir on 2005/7/2 5:44:55 (9347 reads) | Posted on XOOPS
Earlier this week, I had some conversations with James from GulfTech Research and Development about a security hole in the XML-RPC interface.

We worked together on finding a solution and also found one - but unfortunately it was not a universal solution, which we now correct with XOOPS 2.0.13 that also solves some other sanitation issues where the server's magic_quotes_gpc settings was not taken correctly into consideration.

Everyone is urged to upgrade to 2.0.13 at earliest convenience and the XOOPS Core Development team apologizes for the high frequency of updates this week.

Upgrade Instructions
1. Download Patch
2. Extract Patch
3. Upload Patch files (four files) to webserver
4. That's it - no need to update System Module for this one

XOOPS 2.0.13 Stable
.zip | tarball
XOOPS 2.0.12a to 2.0.13 patch
.zip | tarball


Printer Friendly Page Send this Story to a Friend Create a PDF from the article


Bookmark this article at these sites

                   

The comments are owned by the poster. We aren't responsible for their content.

wow.. another quick release... thanks Mith.
Posted: 2005/7/2 6:10 • Updated: 2005/7/2 6:10
smdcom
I would rather see frequent releases, than have security problems.

Good work Mith and all concerned.
Posted: 2005/7/2 6:12 • Updated: 2005/7/2 6:12
davidl2
Thanks Mithrandir,

I update 2.0.12a and it works fine with xlanguage2.0.

But 2.0.13, unfortunately it doesn't work with xlanguage2.0.
Posted: 2005/7/2 6:28 • Updated: 2005/7/2 6:51
dashbord
Hi, after waiting to see what happens after a few probs with these patches, it seems I have missed the boat lol. I can't seem to download the 2.0.12a patch, the site just times out with an error. I am still on 2.0.10 what do is the process for getting from 2.0.10 to 2.0.13 I am lost lol. Cheers any help would be appreciated.
Posted: 2005/7/2 6:41 • Updated: 2005/7/2 6:41
Daz_Al
You can get 2.0.10-to-2.0.12a directly from SourceForge:
http://prdownloads.sourceforge.net/xo ... 0-to-2.0.12a.zip?download
Posted: 2005/7/2 6:43 • Updated: 2005/7/2 6:43
Mithrandir
Thanx Mith.
Posted: 2005/7/2 6:44 • Updated: 2005/7/2 6:44
Daz_Al
I am also still at 2.0.10 and waiting for the 2.2 release. Will there be an upgrade package for 2.0.10 or only from 2.0.13 (or later?).

It's such a fuzz updating five sites...
Posted: 2005/7/2 7:03 • Updated: 2005/7/2 7:03
Horatio
i'm still waiting 2.2, but tried several versions with 'new' install on my localhost. Interesting: is 2.2 will late a lot?
Posted: 2005/7/2 7:15 • Updated: 2005/7/2 7:15
teibaz
XOOPS 2.2 is on schedule for a release next Sunday (July 10th)

The more people testing the current CVS Nightly (except the PM module which is still in development) the higher the chance of the on-time release
Posted: 2005/7/2 7:26 • Updated: 2005/7/2 7:26
Mithrandir
Quote:
Will there be an upgrade package for 2.0.10 or only from 2.0.13 (or later?).

It's such a fuzz updating five sites...

You will be able to upgrade directly from 2.0.10 to 2.2 - however, an actual upgrade package might be somewhat difficult, or at least extensive.

In any case, you will be able to apply the full 2.2 package on a 2.0.10 (or later) installation and upgrade. So now's the time to note down those changes to the core, you may have made.
Posted: 2005/7/2 7:27 • Updated: 2005/7/2 7:27
Mithrandir
Looool, I can't remember, so probably I will find out all the things again in 2.2 and change them... Smart idea to document them, however...
Posted: 2005/7/2 7:45 • Updated: 2005/7/2 7:45
Horatio
Upgraded without problems. Good work.
Posted: 2005/7/2 8:32 • Updated: 2005/7/2 8:32
Gambero[removed]
I just noticed that a lot of files that are updated have a empty line at the end of the file, wich will result in php sending headers and wich will eventuelly result errors.

Example of files: class/criteria.php and include/checklogin.php. I downloaded the tar.gz packages. Please fix this.
Posted: 2005/7/2 8:59 • Updated: 2005/7/2 8:59
Jan304
How to upgrade from 2.0.9.3 to 2.0.13?
any easy way?
Posted: 2005/7/2 9:40 • Updated: 2005/7/2 9:40
skara
good and without problems work.
thanks.
Posted: 2005/7/2 10:05 • Updated: 2005/7/2 10:05
indream
To be on the safe side of upgrades, always do incremental upgrades.

Look at all the upgrade packages available and upgrade per the logical numbering system.

If you are certain the upgrade does not have any Database modifications, then uploading the latest version full package and updating your System will do.
Posted: 2005/7/2 10:11 • Updated: 2005/7/2 10:11
Lance_
Since there are no Database changes since xoops 2.0.9.3 you can download the whole full latest STABLE xoops version and upload them to your server. (overwrite the excisting files with the exception of your mainfile.php !!!!!)
Upgrade admin/modules/system and to be sure everything will do alright all your modules.
grtz., Shine
Posted: 2005/7/2 10:18 • Updated: 2005/7/2 10:18
Shine
all systems go with 2.0.13...

thx!
Posted: 2005/7/2 10:24 • Updated: 2005/7/2 10:24
Defkon1
5 sites updated with no problems. Thanks guys!
Posted: 2005/7/2 10:34 • Updated: 2005/7/2 10:34
JimLunsford
Quote:
Skara wrote:
How to upgrade from 2.0.9.3 to 2.0.13?
any easy way?

Easiest way is to dlownload all patches to your harddrive, unpack then to separate folders, create a new 'big patch' folder and copy the 2.0.9.3 patch files there. Then add the 2.0.10 files, overwriting any existing files in the 2.0.9.3 patch, and continue this process untill you have made sure you have all the files included in all the patches, and the latest versions of those that feature in more then one patch release. Then upload it all to the server, overwriting the originals

Herko
Posted: 2005/7/2 11:49 • Updated: 2005/7/2 11:49
Herko
Hello!

I am still running Xoops 2.0.7.3 on a very big website. Now I would like to know something.

Can I upgrade to 2.0.13 ?

I am using modules:

- TinyEvent 1.01
- Edito 2.2
- CBB 1.14
- Shoutbox 3.1
- Articles 0.25
- MyMenu 1.4
- Database tools 1.1
- Liaise 1.21
- BopComments 0.71
- xoops modules that come with the package

Will those modules work normally afther upgrade ?

Can I unpack Xoops 2.0.13 stable and overwrite to server all exept mainfile.php and then only update system module ? Will it work ?

Thanks!

EDIT: Ok, jdseymour is helping me ... you don't have to answer.
Posted: 2005/7/2 12:02 • Updated: 2005/7/2 13:04
Gambero[removed]
Quote:
You will be able to upgrade directly from 2.0.10 to 2.2 - however, an actual upgrade package might be somewhat difficult, or at least extensive.

In any case, you will be able to apply the full 2.2 package on a 2.0.10 (or later) installation and upgrade. So now's the time to note down those changes to the core, you may have made.


Will you be providing a upgrade package from 2.0.10? I have 2 sites running that version because I have heavily modified them for speed and I didnt want to upgrade till 2.2 since it would be somewhat of a hassile modifying the code.
Posted: 2005/7/2 15:40 • Updated: 2005/7/2 15:40
pegasus00321
@Gambero

Liaise 1.21 will not work with xoops 2.0.10 (as far as i'm aware)

you will need to also update that to 1.23 version.
Posted: 2005/7/2 15:46 • Updated: 2005/7/2 15:46
m0nty
Gambero,

I've upgraded to 2.12a from 2.0.7.3, and had
problems with newbb - had to update newbb again (but that's only me misreading instructions).

Question to others: I've seen that there is another newbb update in 2.0.13 package. Should I ignore it, if I use newbb2?
Posted: 2005/7/2 17:47 • Updated: 2005/7/2 17:47
iolai
Quote:
Question to others: I've seen that there is another newbb update in 2.0.13 package. Should I ignore it, if I use newbb2?


Always ignore it and also ignore news too in the upgrade packs, if you are using newbb2 or news 1.2 or later.
Posted: 2005/7/2 18:16 • Updated: 2005/7/2 18:16
m0nty
The update went great! No problems!

And I updated liaise module and works great!
Posted: 2005/7/2 18:30 • Updated: 2005/7/2 18:30
Gambero[removed]
Quote:
Question to others: I've seen that there is another newbb update in 2.0.13 package. Should I ignore it, if I use newbb2?


Yes only updates to newbb 1 will be included in the patch. If you use newbb 2/ CBB delete the newbb folder from the patch.
Posted: 2005/7/2 18:44 • Updated: 2005/7/2 18:44
jdseymour
Version already available in XOOPS Paraná and in XOOPS BR in the Brazilian language

Quote:
the XOOPS Core Development team apologizes for the high frequency of updates this week.


I think it is not necessary excuses for updatings, because the same ones come exactly to help all of the users of XOOPS.

in our country we saying is wrong that it is apprehended
Posted: 2005/7/2 19:16 • Updated: 2005/7/2 19:16
Silviotech
yep. better to get them out straight away once u fixed the holes and bugs. and before everyone had already updated.. now they needn't bother with 2.0.11 or 2.0.12 can goto 2.0.13.

saves being like micro$oft and waiting till a million people have been hacked before releasing a fix for it that they've held onto for 6 months.. lol slight exageration, or is it? hehehe
Posted: 2005/7/2 19:23 • Updated: 2005/7/2 19:23
m0nty
Hey yall,
will it be safe to upgrade from 2.0.12 to 2.0.13?
I don't see a patch for 2.0.12 to 2.0.12a, but, I may have missed it!
Any input would be appreciated.
Thanks
Joe
Posted: 2005/7/3 10:43 • Updated: 2005/7/3 10:43
boss_hog
Upgrade from 2.0.7.3 -> 2.0.13 went flawlesy.
(uploaded and overwritten the whole xoopscore)

Indeed there are a lot of files with empty lines on the end (as Jan304 already said.) Went to all the files and deleted those lines first.

One request:
Within the module.textsanitizer.php prox. line 154-155
there is a handy code: [siteurl]
I always use this code if I want to realise an internal link. Frustrating is that standard it always popups within a new window. Why not delete the target=_blank at this piece of code. Otherwise we have 2 options [url] and [siteurl] with the same window opening.

Grtz., Shine
Posted: 2005/7/3 10:48 • Updated: 2005/7/3 10:48
Shine
Upgraded from 2.0.12a > 2.0.13 without a hitch.

Awesome work to all who were involved!


Posted: 2005/7/3 11:47 • Updated: 2005/7/3 11:47
JMorris
Anybody else having avatar problems in 2.0.13?

Selecting an avatar from the list, hitting submit and... avatar not changed.

Edit: just realised the my avatar problem can't have been introduced in this version. But it exists here. Upgraded so many times my site lately that I'm not sure with which version this problem was introduced.
Posted: 2005/7/3 16:43 • Updated: 2005/7/3 17:43
CeBepuH
I dont mind the updates even if there is one a day.. It takes time to make something perfect.. I dont know what I would do without you guys.. Thanks so much for this awesome CMS
Posted: 2005/7/4 11:58 • Updated: 2005/7/4 11:58
zite83
Quote:
Anybody else having avatar problems in 2.0.13?


try doing a search for avatar upload problem

http://www.xoops.org/modules/newbb/vi ... id=163913#forumpost163913
Posted: 2005/7/4 17:12 • Updated: 2005/7/4 17:12
m0nty
Xoops 2.0.13 - install full report Tests.

1 - Install (ok)
2 - Install (modules complements ok)
3 - All site in xoops 2.0.13 ok

-------------------------------------------------
Suggestions and example code for add if possible

a) In file install/index.php in line 29

add: include_once "../../include/version.php";

b) For install user Dummies for new in xoops.

Detect language browser in install...

File: install/index.php line 40 and 41 (open blank) and Add line:

Before:
Open in new window

After add line and include code:

Quote:

$accept_langs = explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']);
$lanteste = $accept_langs[0];
switch ($lanteste) {
default:
case "fr":
$language = 'french';
$_POST['lang'] = 'french';
break;
case "ja":
$language = 'japanese';
$_POST['lang'] = 'japanese';
break;
case "ms":
$language = 'malay';
$_POST['lang'] = 'malay';
break;
case "es":
$language = 'spanish';
$_POST['lang'] = 'spanish';
break;
case "pt":
$language = 'portuguese';
$_POST['lang'] = 'portuguese';
break;
case "pt-br":
$language = 'portuguesebr';
$_POST['lang'] = 'portuguesebr';
break;
case "en":
$language = 'english';
$_POST['lang'] = 'english';
break;
case "de":
$language = 'german';
$_POST['lang'] = 'german';
break;
case "de-de":
$language = 'german';
$_POST['lang'] = 'german';
break;
case "en-us":
$language = 'english';
$_POST['lang'] = 'english';
break;
}
//$language = 'english';


Note: Attention for comments in line //$language = 'english';

This is simple corrections great works, was for new user dummie is good

Exemples:

Screen: French

Open in new window

Screen: German

Open in new window

Screen: Malay

Open in new window

Screen: Spanish

Open in new window

For more examples:

Xoops Core release 2.0.13 for dumies

Sorry my bad english and ( Melhorando )
Thanks for look in code.
Posted: 2005/7/4 21:15 • Updated: 2005/7/4 21:15
giba
Outstanding work - upgrade GearHeads all the way from 2.0.7.3 with no problems. Whew!

Just a tip for the user base - after copying files make sure you update the System module AND your other modules.

Dan
Posted: 2005/7/5 13:31 • Updated: 2005/7/5 13:31
dlh
@dlh
I'm dreaming some old friends of xoops, listed here,make their come back, for joining past with future !
marco
Posted: 2005/7/5 14:36 • Updated: 2005/7/5 14:36
Marco
Sorry, guys. Excuse my ignorance but can I update from version 2.0.9.2 straight to this release?

Thanks...
Posted: 2005/7/5 22:37 • Updated: 2005/7/5 22:37
GrodsCorp
So is the xmlrpc interface being used by anything? I can find very little mention of it with search. There was talk of somebody using bloggerapi... was anything released?

If it is not being used can we delete xmlrpc.php? If so, is there anything else that can be removed for a slimmer, more secure install?
Posted: 2005/7/6 22:35 • Updated: 2005/7/6 22:35
gravies
@GrodsCorp: please read the earlier comments in this thread, this has been answered twice I think.

@gravies: XOOPS is one of the first applications that has the secure xml-rpc classes, thanks to a collaboration between the orgaisation that discovered the vulnerability and made the world aware (it's been in the news all over the world) and our core developer Mithrandir who picked up on this very quick. So there is no need to remove any files for security reasons when you use that latest and greatest version.

Herko
Posted: 2005/7/7 3:24 • Updated: 2005/7/7 3:24
Herko
@shine.
Quote:
Indeed there are a lot of files with empty lines on the end (as Jan304 already said.) Went to all the files and deleted those lines first.

I don't suppose you remember which PHP files needed extraneous lines removing in the full 2.0.13 download?
Posted: 2005/7/7 6:27 • Updated: 2005/7/7 6:27
Peekay
I think I found a bug. I created a custom group (before I upgraded to 2.0.13) with admin rights for module News and MyDownloads.

Now afther upgrade those users in this group can access the admin menu but they can't delete the comments under those two modules.
Posted: 2005/7/7 8:32 • Updated: 2005/7/7 13:10
Gambero[removed]