vulnerability in SPAW editor
Posted by phppp on 2007/6/13 0:05:22 (8356 reads)
| Posted on Security
Vulnerability was reported in some version of the SPAW editor, which is used by some of XOOPS third-party modules.
Module "tinycontent" is one of the modules using SPAW. Although we are not sure which version(s) is vulnerable, we suggest disable SPAW in tinycontent and remove the "modules/tinycontent/admin/spaw/" folder from your server.
| Bookmark this article at these sites |
|
The comments are owned by the poster. We aren't responsible for their content.
I can confirm this. Remove the Spaw directory.
Posted: 2007/6/13 2:01 • Updated: 2007/6/13 2:01
Could these kind of news articles be posted on the frontpage of Xoops.org. Specially because alot of people use this module on their site. Just a thought;)
Posted: 2007/6/13 2:06 • Updated: 2007/6/13 2:06
Hi all
I also can confirm this.
I had 2 sites atacked.
They could use your server to send TONS of spam´s.
Posted: 2007/6/13 11:47 • Updated: 2007/6/13 11:47
got hacked by this too
Posted: 2007/6/13 16:49 • Updated: 2007/6/13 16:49
the problem is the spaw_control.class.php
DELETE IT!!!!
Posted: 2007/6/18 9:51 • Updated: 2007/6/18 9:51
Quote:
A more useful thing - and this is a practical suggestion for the core team ... is to send a security update every time they log into their admin area. People don't have to return to this site when they're set up - but people would have to read that...
This would be bad news for site designers IMHO.
I already disabled version notification in Zen Cart because I had a raft of demands to upgrade as soon as the new version came out. Upgrades should be the webmaster's decision. They shouldn't be pressurised into it because a client has been panicked by a version 'warning' or a security scare. As long as xoops.org continue to highlight issues like this promptly, webmasters can keep up to speed on security issues. Users can subscribe to the security news category and receive email notifications of new articles. If they don't bother, that's their problem.
Posted: 2007/6/18 11:42 • Updated: 2007/6/18 11:42
My site just got hit for this
Tinycontent 1.5
hosting provider
mentioned spaw_control.class.php
Posted: 2007/6/18 11:53 • Updated: 2007/6/18 11:53
Quote:
Users can subscribe to the security news category and receive email notifications of new articles.
Sorry, actually they can't at present. But it would be good if they could.
Posted: 2007/6/18 12:25 • Updated: 2007/6/18 12:25
According to the National Vulnerability Database, Xoops modules affected by the spaw_control.class.php vulnerability include:
Tiny Content
XT-Contuedo
CJay ContentThis is beacause they include the old Spaw version 1.0.
According to Secunia, the issue is resolved by upgrading Spaw to version > 1.0.4.
http://secunia.com/advisories/10451/Solmetra (the makers of Spaw) recommend upgrading to 1.2.4.
See
this advisoryThe current version of Spaw is 2.0.4.1.
Posted: 2007/6/18 18:01 • Updated: 2007/6/18 18:01
As well as the modules listed above, Spaw 1.0 is also present in:
Wordpress ME
Xoopseditor Framework 1.2If you use this editor, it may be straightforward to upgrade simply by replacing the Spaw folder?.
Posted: 2007/6/20 12:29 • Updated: 2007/6/20 12:30
