Fork me on GitHub

Search

Donat-O-Meter

Make donations with PayPal!
Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00

Learn XOOPS Core

Local Support

Advertisement

XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

- 2 2.5 2.6 3.0 4 6 2013 adslight Android AntiHarvesting AntiMalUser AntiSpam API Apple Battlefield billige Bootstrap Captcha cell cent chronolabs CHUNG Clicks content CĂN demo docek download Dresses evden eve facebook Fat floor Food for free Gateway Google Guide herre Home Honeypot HP Human HỘ IP iPhone jQuery Language Legal List log Loss mobile module modules Monster new newbb news NHÀ online PARK phone PHP Prevention profile project Protector publisher RESIDENCE responsive review Rights rmcommon security Sentry site Smartphone Smoking Solution Spam stem Studio tdmcreate template The Theme themes web weight Wishcraft xoops Xortify XPayment ZendFramework

New Users

Registering user

# 137852

cricket21

Welcome to XOOPS!

Archives

News Archives

XOOPS 2.3.2b - Security Release

Posted by phppp on 2008/12/7 6:10:00 (22310 reads) | Posted on Security
The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.

This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.

In the 2.3.2b release we have further improved security fixes with help from DSRG.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.

Download from Sourceforge repository.

System requirements
-----------------------------------

PHP:
Any PHP version >= 4.3 (PHP 4.2.x may work but is not officially supported, PHP 5.0+ is strongly recommended)

MySQL:
MySQL server 3.23+ (MySQL 5.0+ is strongly recommended)

Web server:
Any server supporting the required PHP version (Apache highly recommended)


Downloading XOOPS 2.3.2b
-----------------------------------

Your can get this release package from the Sourceforge repository.
Both .zip and .gz archives are provided.


Installing XOOPS 2.3.2b
-----------------------------------

1. Copy the content of the htdocs/ folder where it can be accessed by your server
2. Ensure mainfile.php and uploads/ are writable by the web server
3. For security considerations, you are encouraged to move directories "/xoops_lib" (for XOOPS libraries) and "/xoops_data" (for XOOPS data) out of document root, or even change the folder names.
4. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable.
5. Access the folder where you installed the htdocs/ files using your web browser to launch the installation wizard

Installing Protector in XOOPS 2.3.2
-----------------------------------
We also highly recommend the installation of the PROTECTOR module which will bring additional security protection and logging capabilities to your site:

To install Protector module for the first time with a new installation of XOOPS 2.3.2, copy /extras/mainfile.dist.php.protector to /htdocs/mainfile.dist.php BEFORE installing XOOPS.

If you are upgrading an existing XOOPS Website (see below how to do it), and Protector is already installed there, copy /extras/mainfile.dist.php.protector to /upgrade/upd-2.0.18-to-2.3.0/mainfile.dist.php BEFORE upgrading XOOPS.


Upgrading from a previous version
-----------------------------------

As always, make sure you have a fresh BACKUP before you upgrade!!!

Upgrading from XOOPS 2.3.x (easy way)
1. Get the update package from the sourceforge file repository
2. Overwrite your existing files with the new ones
3. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine
4. Access /upgrade/ with a browser, and follow the instructions
5. Follow the instructions to update your database
6. Delete the upgrade folder from your server
7. Update the "system" module from the modules administration interface, other modules, especially "profile" are recommended to update as well


Upgrading from XOOPS 2.0.* above 2.0.14 and 2.2.* (using the full package)
1. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine
2. Delete htdocs/mainfile.php, htdocs/install/, htdocs/cache/, htdocs/extras/, htdocs/template_c/, htdocs/themes/ and htdocs/uploads/ from the "htdocs" folder on your LOCAL machine
3. Upload the content of the htdocs folder on your LOCAL machine over your existing files on your server
4. For security considerations, you are encouraged to move directories xoops_lib (for XOOPS libraries) and xoops_data (for XOOPS data) out of document root, or even change the folder names.
5. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable.
6. Ensure the server can write to mainfile.php
7. Access /upgrade/ with a browser, and follow the instructions
8. Follow the instructions to update your database
9. Write-protect mainfile.php again
10. Delete the upgrade folder from your server
11. Update the "system" module from the modules administration interface, other modules are recommended to update as well


Upgrading from any XOOPS ranging from 2.0.7 to 2.0.13.2 (using the full package):
1. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your LOCAL machine
2. Delete htdocs/mainfile.php, htdocs/install/, htdocs/cache/, htdocs/extras/, htdocs/template_c/, htdocs/themes/ and htdocs/uploads/ from the "htdocs" folder on your LOCAL machine
3. Upload the content of the htdocs folder on your LOCAL machine over your existing files on your server
4. Delete the following folders and files from your server (they belong to an old version):
* class/smarty/core
* class/smarty/plugins/resource.db.php
5. Ensure the server can write to mainfile.php
6. For security considerations, you are encouraged to move directories xoops_lib (for XOOPS libraries) and xoops_data (for XOOPS data) out of document root, or even change the folder names.
7. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable.
8. Access /upgrade/ with a browser, and follow the instructions
9. Write-protect mainfile.php again
10. Delete the upgrade folder from your server
11. Update the "system" module from the modules administration interface, other modules are recommended to update as well


Upgrading a non UTF-8 site:
UTF-8 encoding has been introduced into XOOPS 2.3 as default charset. However, there might be some problems with converting existent websites from non UTF-8 charset to UTF-8.
Before there is a good enough solution for this conversion, following settings are recommended when you upgrade an existent website if you are not an experienced user:
- Select "Do not change" option in "Database character set and collation" step during upgrade process
- Modify /languages/yourlanguage/global.php to use existent _CHARSET value if it has been changed to UTF-8 in your new global.php file as
define('_CHARSET''UTF-8');



Upgrading XoopsEditor package:
In the XOOPS 2.3.2b package, there are five editors included: dhtmltextarea and textarea for plain text, fckeditor, tinymce and koivi for WYSIWYG HTML.
Since there are some directory structure changes in both fckeditor and tinymce editors, you are recommended to remove existent editors before uploading the new additors.
And if you are using fckeditor for modules, please modify module specific configs following the files in /fckeditor/modules/, especially if you use "article" module.


Debug information display level
-----------------------------------

Since XOOPS 2.3.1 debug information display level is enabled as a temporary solution for 2.3* to show debug information to different level of users: to all users, to members or to admins only.
The configuration can be set in /xoops_data/configs/xoopsconfig.php
A new debug information renderer is redesigned in XOOPS 3.0



Files integrity check
-----------------------------------

The full XOOPS package is released with a script able to check if all the system files have been correctly uploaded to the server. To use it, follow these instructions:

1. Upload the checksum.php and checksum.md5 files located in the XOOPS package root to your XOOPS server folder (putting them next to mainfile.php).
2. Execute checksum.php with your browser
3. If necessary, re-upload the missing or corrupted system files
4. Remove checksum.php and checksum.md5 from your server


Modules
-----------------------------------

This release contains only the "system-related modules". You are invited to browse the XOOPS modules repository to if you need additional functionality. Note: as a new repository is being built, the current repository is not up-to-date, PLEASE VISIT INDIVIDUAL DEVELOPERS' WEBSITES TO MAKE SURE YOU ARE USING LATEST VERSION OF MODULES.


How to contribute
-----------------------------------
Bug report: http://sourceforge.net/tracker/?group_id=41586&atid=430840
Patch and enhancement: http://sourceforge.net/tracker/?group_id=41586&atid=430842
Feature design: http://sourceforge.net/tracker/?group_id=41586&atid=430843
Release announcement: https://lists.sourceforge.net/lists/listinfo/xoops-announcement


XOOPS Development Team
December 7th, 2008


Tags: security  
Printer Friendly Page Send this Story to a Friend Create a PDF from the article
Bookmark Me
Bookmark to Google Plus
The comments are owned by the author. We aren't responsible for their content.

Is it right that there should only be 1 file (language.php) in the upgrade folder?
Published: 2008/12/7 9:20 • Updated: 2008/12/7 9:20
Yes, it's the file that provides the country codes. The language files are in the /language subdirectory
Published: 2008/12/7 9:23 • Updated: 2008/12/7 9:23
That doesn't make sense, when I access mysite.com/upgrade
all I get is the directory listing...
Published: 2008/12/7 9:27 • Updated: 2008/12/7 9:27
I think, I misunderstood your first comment.

In the "update" to a previous version (e.g. 2.3.1 -> 2.3.2b) there is only one file, since it's the only one that changed. So copy it over your previous version's "/ugrade" directory, and then copy the whole thing to your Website. This way you'll have it all.

But I see that this could be confusing, so I'll redo the "Update" files on SourceForge, and provide all files in the /upgrade directory
Published: 2008/12/7 9:35 • Updated: 2008/12/7 9:35
Aaaah... I see . Definitely confusing as is. Thanks Mamba.
Published: 2008/12/7 9:37 • Updated: 2008/12/7 9:37
OK, I've updated the files on SourceForge
Published: 2008/12/7 10:00 • Updated: 2008/12/7 10:00
Nope.
xoops-2.3.1-to-2.3.2b.tar.gz
&
xoops-2.3.1-to-2.3.2b.zip

still only have the one file in Upgrade
Published: 2008/12/7 10:05 • Updated: 2008/12/7 10:05
Works here. Maybe your mirror didn't get the new copy yet.

If you go to:
https://sourceforge.net/project/showfi ... =153583&release_id=643845
try copy the link directly, and remove the "mirror" portion of it, and then paste the URL in the browser for download
Published: 2008/12/7 10:27 • Updated: 2008/12/7 10:28
All my sites upgraded to 2.3.2b without a problem.

Thanks to the "dev folk" for the work (and Mamba for updating the download )

Just one thing - in admin, the XOOPS version is showing as "xoops 2.3.2". Can any future versions, i.e. 2.3.2c if there were to be one, show this please?
Published: 2008/12/7 12:36 • Updated: 2008/12/7 12:36
John - I think the short answer to your question is no, they can't.

The practice of using 'a', 'b', 'c', etc... nomenclature should be eliminated in XOOPS releases because there's no easy way to figure out which "version" of 2.3.2 you have without doing individual file compares. If you look at the 2.3.2b upgrade release the ./include/version.php doesn't even have the alpha characters because it's not something XOOPS knows about.

Every time a new release is made (even if it's only to fix a typo) the minor rev should change (e.g. 2.3.2, 2.3.3, 2.3.4, etc). Adding the alpha character "sub-release" is just poor code control practice and is a result from not following standard coding practices. Usually it's caused because a developer doesn't want to go through the "normal" release process - also a bad practice.

Sorry, I'm done ranting... I'll get down off my soap box and go try and patch some of my sites with this version of 2.3.2
Published: 2008/12/7 23:21 • Updated: 2008/12/7 23:21
Just to say that I've updated 4 sites successfully with this release in the last 12 hours. Many thanks for the work, guys. And agree that an extra decimal (even 2.3.2.3 for example) would be nice to see next time too.

Would it also be possible to make instructions a wee bit clearer in the future? I'm just waiting for all the support posts from people who just replaced their Protector module with the directory in this release rather than opened it up and replace individual files as was intended (same problem as I mentioned earlier with the upgrade folder).

Anyway, all sites seem to running fine. Many thanks again.
Published: 2008/12/8 0:52 • Updated: 2008/12/8 0:53
Quote:
Every time a new release is made (even if it's only to fix a typo) the minor rev should change (e.g. 2.3.2, 2.3.3, 2.3.4, etc).

Zyspec, thanks for the feedback. We'll do so the next time.
Published: 2008/12/8 2:15 • Updated: 2008/12/8 2:15
Thanks Mamba. Sorry for the 'rant'. It's something that's bugged me for a while, it was late and I 'reacted' to John's comment. Thanks for taking the suggestion at it's intent and not reacting to the wording. Next time I'll try an voice my suggestions before they become frustrations.
Published: 2008/12/8 8:31 • Updated: 2008/12/8 8:31
Quote:
Thanks for taking the suggestion at it's intent and not reacting to the wording.
I'm always trying to look at intent

Sometimes the words are sweet like honey but we know that the intent is malicious, other times the words are rough, but we know that the person cares a lot.

I know that you care about XOOPS! And I appreciate it a lot!
Published: 2008/12/8 11:22 • Updated: 2008/12/8 11:22
There is mentioning to use the upgrade directory while there is NOT even an upgrade rule visible for the 2.3.2; it tells me there is no upgrade necessary... That might be confusing to people...

Also there is only checksum.md5, I believe there should also be a checksum.php?

And finally I see there a change made in xoops.css, I am using a theme that is based on the MorphoGenesis. I have also the problems mentioned for which the fix is, but what should I change in that CSS to fix it, other than just compare and search for the changes?
Published: 2008/12/8 16:00 • Updated: 2008/12/8 16:00
We are happy to let you know that the Digital Security Research Group confirmed that the XSS vulnerability is fixed in 2.3.2b.

Read here...
Published: 2008/12/8 23:24 • Updated: 2008/12/8 23:24
Hi all,

After upgrade to version 2.2.3b some images on the main site are rezised to thumbs.. any idea how to set things straight here. Upgrading went perfect but i cant seem to find an answer to this question. TIA Ritchie.
Published: 2008/12/10 12:54 • Updated: 2008/12/10 12:54
Quote:
After upgrade to version 2.2.3b some images on the main site are rezised to thumbs..

Please try to add this code to the end of your xoops.css located in the main directory:

/* based on FabClearing by Fcaldera www.html.it*/ 
#centercolumn .blockContent:after, #xo-page .xo-blockcontent:after {
    
content:    ".";
    
display:    block;
    
height:     0px;
    
clear:      both;
    
visibilityhidden;
}

/**/
#centercolumn .blockContent, #xo-page .xo-blockcontent {
    
display:    inline-block;
}
/**/

#centercolumn .blockContent, #xo-page .xo-blockcontent {
    
clear:      both/* for Gecko */
    
height:     1%; /* for IE */
}

This code came from Ian.
Published: 2008/12/10 13:31 • Updated: 2008/12/10 13:31
Hi Mamba,

Thanks but this doesn't work out for me. I posted this question in the forum.
Published: 2008/12/10 13:55 • Updated: 2008/12/10 13:55
When XOOPS 2.3.2c release ?
Published: 2008/12/12 21:33 • Updated: 2008/12/12 21:33
Quote:
When XOOPS 2.3.2c release ?

I'm not aware of one. I think, the plan is to work now on 2.3.3 as a bugfix release, as stated in this thread
Published: 2008/12/13 1:13 • Updated: 2008/12/13 1:13
Hi,

I need 2.30 to XOOPS 2.3.2b

but couldn't find any in the sourceforge files.

where can i get it?
Published: 2008/12/15 7:35 • Updated: 2008/12/15 7:35
@limecity

Try the update package that is there.

If that doesn't work then email/PM me with your email address and I'll send you all the incremental update packages.
Published: 2008/12/15 13:47 • Updated: 2008/12/15 13:47
The package there does not seem to work, and I am also going from 2.3.0 to this latest upgrade. I got an error when I tried to use the file now on sourceforge.
Published: 2008/12/15 18:04 • Updated: 2008/12/15 18:04
JAVesey,

thanks. i went through 2 steps.
upgrading 2.3.0 to 2.3.1
then 2.3.1 to the latest one.

all worked well.
Published: 2008/12/15 19:23 • Updated: 2008/12/15 19:23
I copied all the folders as instructed and when I go the upgrade folder as specified I get this message error can someone help?
"Error: Smarty error: the $compile_dir 'XOOPS_VAR_PATH/caches/smarty_compile' does not exist, or is not a directory."
Published: 2008/12/17 21:02 • Updated: 2008/12/17 21:02
@mannyo

Is your xoops_data folder and all its sub-folders writeable (CHMOD 775 or 777)?
Published: 2008/12/18 3:14 • Updated: 2008/12/18 3:14
Smarty 2.6.22 Released [ December 17th, 2008 ] and for security reasons, it is recommended to upgrade immediately.

This is changelog since we release smarty_2.6.19_for_xoops.
Published: 2008/12/25 14:13 • Updated: 2008/12/25 14:18
In backend.php ,I recommend Not only for News block, I recommend For All block when block display!!!
Published: 2008/12/27 5:57 • Updated: 2008/12/27 5:57
New Security bug:
http://www.securityfocus.com/bid/33176


Published: 2009/1/8 21:38 • Updated: 2009/1/8 21:38
I just report GIJOE to inform him about this new exploit and he said this is not a Protector's problem.

GIJOE is recommend to put XOOPS_TRUST_PATH outside DocumentRoot as quick and right fix for this security bug.

http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=472
Published: 2009/1/8 23:26 • Updated: 2009/1/8 23:26
see it please
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=472

I worry about xoops_lib folder . many users install XOOPS 2.3.x without change location of xoops_lib or rename it or add .htaccess to it .
Published: 2009/1/8 23:32 • Updated: 2009/1/8 23:32
The best solution is to locate your xoops_lib folder out of webroot path.
If you are not allowed to do so, add .htaccess to protect your protector module.

If .htaccess is not allowed or enabled on our server, turn off global_register on your server.


If you are not allowed to do any of the above solutions, the only solution is to remove protector module from your server and wait for complete fixes from the module.

All in all, the best scenario would be to have clean and safe code. I would say sorry for not evaluating all the code thoroughly we included into core release package.
Published: 2009/1/9 3:04 • Updated: 2009/1/9 3:08
please update the XOOPS package with htaccess
Published: 2009/1/9 4:55 • Updated: 2009/1/9 4:55
Quote:
The best solution is to locate your xoops_lib folder out of webroot path.


jep, this is a correct statement for a save xoops.
Published: 2009/1/9 5:41 • Updated: 2009/1/9 5:41
I am making a fresh install of XOOPS 2.3.2b and am not clear about the release notes statement:

3. For security considerations, you are encouraged to move directories "/xoops_lib" (for XOOPS libraries) and "/xoops_data" (for XOOPS data) out of document root, or even change the folder names.

My goal is to do this right the first time and I don't want to create any broken links during install. Am I to move or rename these directories prior to running the install process or after?

Thanks,
Published: 2009/2/15 10:19 • Updated: 2009/2/15 10:19
So, what I did was rename xoops_data and xoops_lib by adding .htaccess to each but I left them in place in the root and ran my install pointing to the new names in the setup procedure. Is this move adequate for security considerations?
Published: 2009/2/15 11:47 • Updated: 2009/2/15 11:47