Get XOOPS XOOPS FAQ Forums News Themes Modules
News World of XOOPS Developers Hacks Modules Themes Archive Submit News
XOOPS Giftshop XOOPS Blue Move
Share

XOOPS vs. Herko Coomans

Make a donation

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


Search


Advanced Search

Local Support Sites

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Google GUI hacks instant-zero jQuery module news Nordic Olédrion oxygen PageRank security SEO simple-XOOPS sport tag Theme wiki xoops
more...

New Users

Registering user

# 96568

dvsshoescom

Welcome to XOOPS!

Archives

News Archives

XOOPS Code hosted on SourceForge

XOOPS 2006/05/23 security patch released

Posted by skalpa on 2006/5/22 23:20:00 (6897 reads) | Posted on XOOPS
The 2006/05/23 security patch has been released to fix the security issue disclosed as Secunia Advisory 20176.

Please note that this issue only concerns servers configured with register_globals set to on, which is not recommended.

But we recommend that every XOOPS 2.X user apply it, especially those who are forced to use a 2.0.x version older than 2.0.13.2, since the additional protection it contains may protect you from other issues known to these old versions.

Download:
XOOPS 2006/05/23 security patch (.tar.gz)
XOOPS 2006/05/23 security patch (.zip)

Installation instructions:

- MAKE A BACKUP COPY OF mainfile.php
- Ensure the web server has write access to this file
- Upload the security060523 folder and its content to your XOOPS document root
- Login as an administrator
- Apply the patch by browsing to /security060523/
- DELETE THE PATCH FOLDER
- WRITE-PROTECT mainfile.php AGAIN


The XOOPS development team.


Printer Friendly Page Send this Story to a Friend Create a PDF from the article


Bookmark this article at these sites

                   

The comments are owned by the poster. We aren't responsible for their content.

Shouldn't THIS be the big story here? Nearly missed this information here.
Posted: 2006/5/23 1:52 • Updated: 2006/5/23 1:52
frankblack
done, thanks
marco
Posted: 2006/5/23 1:55 • Updated: 2006/5/23 1:55
Marco
Applied, no issues.
Thanks!!
Posted: 2006/5/23 2:02 • Updated: 2006/5/23 2:04
vswsystems
Don't know if anyone made this already? I sent an inquiry to Secunia to tell them that this security issue has a patch already.

I am curious, about various things:
a) Does Secunia report to XOOPS official BEFORE making leaks public?
b) How fast they will update their information?
Posted: 2006/5/23 2:33 • Updated: 2006/5/23 2:33
frankblack
Yes, Secunia reports to the developers first, before making this info public.

Herko
Posted: 2006/5/23 3:01 • Updated: 2006/5/23 3:01
Herko
Well .com no probs
.co.uk came up with this error even when file set to write...
Quote:
A file permissions error has occurred. Please check the permissions on the script and the directory it is in and try again.

May try again later, yet its a newer system on that one, globals off also..
Posted: 2006/5/23 4:09 • Updated: 2006/5/23 4:09
wizanda
Thanks for the quick patch

Xoops Malaysia Announcement
Posted: 2006/5/23 5:02 • Updated: 2006/5/23 8:02
smdcom
done.
thx skalpa
Posted: 2006/5/23 6:28 • Updated: 2006/5/23 6:28
FaYsSaL
DUtch announcement on XOOPS.nl.

Could the local support sites be notified of these releases when they are released, please?

Herko
Posted: 2006/5/23 7:16 • Updated: 2006/5/23 7:16
Herko
@wizanda:
Permissions of the patch folder/script okay for that domain? In the web root?
Posted: 2006/5/23 7:58 • Updated: 2006/5/23 7:58
vswsystems
removed by me because of not true content
Posted: 2006/5/23 9:04 • Updated: 2007/10/30 9:23
EyeKeeper
Thank for you keeping Xoops security up to date ... One thing, in reference to: "Hovever we recommend every XOOPS 2.X user to apply it, specially those who are forced to use a 2.0.x version to anterior to 2.0.13.2, as the additional protection it contains may protect you from other issues known to these old versions."

What does it mean "specially those who are forced to use a 2.0.x version to anterior to 2.0.13.2"?

Does this mean "all 2.0.x versions prior to and including 2.0.13.2"? Just never heard the term anterior in context of software ... more semantics than anything else ....
Posted: 2006/5/23 11:32 • Updated: 2006/5/23 11:32
2headedpuppy
I don't know what it means I was going to check in a dictionary when I saw it
Posted: 2006/5/23 12:07 • Updated: 2006/5/23 12:07
wizanda
Quote:
What does it mean "specially those who are forced to use a 2.0.x version to anterior to 2.0.13.2"?


It means "prior to". That is, if you are using a version before 2.0.13.2.

Barry
Posted: 2006/5/23 12:17 • Updated: 2006/5/23 12:17
barryc
i use 2.13.2 What Have I To Do? my english is not soo good.. so i did't understand what must ı do??

please explain as basic..

Thenks..
Posted: 2006/5/23 12:42 • Updated: 2006/5/23 12:42
orgunozcu
Applied the patch, works great. Thank you Xoops Team for being on top of things!
Posted: 2006/5/23 12:49 • Updated: 2006/5/23 12:49
Lourdes
Great work! Thank you...
Posted: 2006/5/23 13:14 • Updated: 2006/5/23 13:14
webthese
Have Applied it! Thank you...
Posted: 2006/5/23 13:19 • Updated: 2006/5/23 13:19
domecc
Orgunozcu:

Can you please state which of the following steps is unclear to you exactly?


- MAKE A BACKUP COPY OF mainfile.php
- Ensure the web server has write access to this file
- Upload the security060523 folder and its content to your XOOPS document root
- Login as an administrator
- Apply the patch by browsing to /security060523/
- DELETE THE PATCH FOLDER
- WRITE-PROTECT mainfile.php AGAIN
Posted: 2006/5/23 13:26 • Updated: 2006/5/23 13:26
Bender
According to Secunia Advisory 20176 the security patch is applicable to 2.0.13.2 version. I have applied it to my 2.0.13.2 and all is Okay.
Posted: 2006/5/23 14:49 • Updated: 2006/5/23 14:49
riosoft
Thank You

"XOOPS Türkiye Documents.."
Posted: 2006/5/23 16:06 • Updated: 2006/5/23 16:06
Kaspersky
Smooth
Posted: 2006/5/23 19:28 • Updated: 2006/5/23 19:28
Will_H
All is well here!!
Posted: 2006/5/24 2:28 • Updated: 2006/5/24 2:28
Chris03
Done. No issues.

Cheers
Posted: 2006/5/24 3:28 • Updated: 2006/5/24 3:28
sailjapan
Thanks!

That close my post here:
http://www.xoops.org/modules/newbb/vi ... orum=7&post_id=220528
Posted: 2006/5/24 10:46 • Updated: 2006/5/24 10:46
anderssk
this fix is made to fix Secunia Advisory 20176 ... but mainly settings of register_globals.

What is with the mentioned magic_quotes_gpc setting? Is this fixed too?
Posted: 2006/5/24 14:38 • Updated: 2006/5/24 14:38
studioC
Yes, this is fixed too.

The actual security issue was only possible when the server had a combination of register_globals on and magic_quotes_gpc off. The fix prevents this combination from being exploitable.
Posted: 2006/5/24 17:03 • Updated: 2006/5/24 17:03
rowdie
Thanks for the great help!

A little, minor, not that important commment for the file 'instructions.txt' in the 'xoops2-security060523.zip' :

Quote:

The 2006/05/23 security patch has been released to fix the security issue disclosed as Secunia Advisory 20176.

Please not that this issue only concerns servers configured with register_globals set to on, which is a disrecommended setup.
Hovever we recommend every XOOPS 2.X user to apply it, specially those who are forced to use a 2.0.x version to anterior to 2.0.13.2, as the additional protection it contains may protect you from other issues known to these old versions.

Installation instructions:

- MAKE A BACKUP COPY OF mainfile.php

- Ensure the web server has write access to this file
- Upload the security060523 folder and its content to your XOOPS document root
- Login as an administrator
- Apply the patch by browsing to <your site URL>/security060523/

- DELETE THE PATCH FOLDER
- WRITE-PROTECT mainfile.php AGAIN



The XOOPS development team.


2 words in red color :

Quote:

The 2006/05/23 security patch has been released to fix the security issue disclosed as Secunia Advisory 20176.

Please note that this issue only concerns servers configured with register_globals set to on, which is a disrecommended setup.
However we recommend every XOOPS 2.X user to apply it, specially those who are forced to use a 2.0.x version to anterior to 2.0.13.2, as the additional protection it contains may protect you from other issues known to these old versions.

Installation instructions:

- MAKE A BACKUP COPY OF mainfile.php

- Ensure the web server has write access to this file
- Upload the security060523 folder and its content to your XOOPS document root
- Login as an administrator
- Apply the patch by browsing to <your site URL>/security060523/

- DELETE THE PATCH FOLDER
- WRITE-PROTECT mainfile.php AGAIN



The XOOPS development team.

Posted: 2006/5/24 20:13 • Updated: 2006/5/24 20:13
yshuangb