Get XOOPS XOOPS FAQ Forums News Themes Modules
News World of XOOPS Developers Hacks Modules Themes YAXS Archive Submit News
XOOPS Giftshop XOOPS Blue Move
Share


XOOPS vs. Herko Coomans

Local Support

Make a donation

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


Search


Advanced Search

Twitter News

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Google GUI hacks instant-zero jQuery module news Nordic Olédrion oxygen PageRank security SEO simple-XOOPS sport tag Theme wiki xoops
more...

New Users

Registering user

# 117251

gerd69

Welcome to XOOPS!

Archives

News Archives

Advertisement

XOOPS Code hosted on SourceForge

Security Patch for XOOPS 2.3.3

Posted by Mamba on 2009/8/20 9:10:00 (4475 reads) | Posted on Security
As discussed previously in forums, there are potential vulnerabilities identified in:

a) PM
b) Protector

modules.

While (a) is addressed by having Protector installed, and (b) is addressed by having "register_globals" disabled and having XOOPS_TRUST_PATH outside of the Document Root, we've addressed the issues in XOOPS 2.4.

However, since we don't know when exactly we'll release XOOPS 2.4, we're releasing this Security Patch for XOOPS 2.3.3 users.

Download: SourceForge XOOPS.

Installation: See the ReadMe.txt file

You are highly encouraged to implement the patch to your existing XOOPS 2.3.3 system.

Special thanks to Trabis, who addressed these issues.


Printer Friendly Page Send this Story to a Friend Create a PDF from the article


Bookmark this article at these sites

                   

The comments are owned by the poster. We aren't responsible for their content.

When i finish coping the files in the modules dir, should i need to updates the modules??
Posted: 2009/8/20 10:16 • Updated: 2009/8/20 10:16
bprado
Quote:
When i finish coping the files in the modules dir, should i need to updates the modules??


No. Unless you are not using the modules provided in 2.3 release. Well, it will not hurt if you press the update button.
Posted: 2009/8/20 10:26 • Updated: 2009/8/20 10:28
trabis
Thank you for the Patch!
Posted: 2009/8/20 12:38 • Updated: 2009/8/20 12:38
webmystar
one question :
Do you update xoops 2.3.3 pack whit this Patch ?
Posted: 2009/8/20 12:42 • Updated: 2009/8/20 12:42
voltan
Yes, it's already updated on SourceForge.

It might take some time on their mirror sites.
Posted: 2009/8/20 13:47 • Updated: 2009/8/20 13:47
Mamba
We had to remove the Profile from the Security Patch, as it was causing incompatibility issues with 2.3.3.

According to Trabis, there was no confirmed Security issue in the Profile, but we've included the 2.4 version because there were few bug fixes that we believed would be beneficial for 2.3.3 users.

However, since it's causing incompatibility issues, if you have already download the Security Patch and it contains Profile, please do NOT copy the /profile over your existing files.

The files on SourceForge have been updated and are now without the Profile.

We apologize for the confusion.
Posted: 2009/8/20 17:03 • Updated: 2009/8/23 16:36
Mamba
Mamba,

what must they do users that applied these patches before correction ?
Posted: 2009/8/20 17:14 • Updated: 2009/8/20 17:14
DonCurioso
Just copy the Profile from 2.3.3 over the current files.

If you don't have access to the 2.3.3 Profile, please download it from here
Posted: 2009/8/20 17:23 • Updated: 2009/8/20 17:23
Mamba
DonCurioso

To establish the native module of a profile.
Posted: 2009/8/20 17:26 • Updated: 2009/8/20 17:26
andrey3761
What kind of incompatibility???

i installed and dont see any errors!!

well i make a lazy test.
Posted: 2009/8/20 17:31 • Updated: 2009/8/20 17:31
bprado
Quote:
What kind of incompatibility???

A user couldn't register - he was getting a blank page. Basically profile uses authentication system that was introuduced on 2.4, and we overlooked that.
Posted: 2009/8/20 17:33 • Updated: 2009/8/20 17:34
Mamba
You can download Russian localisation of modules PM and Protector on this references.
http://xoops.radio-hobby.org/modules/news/article.php?storyid=70
In the same place full Russian translation XOOPS 2.4.0 Beta 1 in charset UTF-8
Posted: 2009/8/20 17:38 • Updated: 2009/8/20 17:38
andrey3761
Andrey, do you have access to SVN on SourceForge?

We have there place for languages, incl. Russian, so maybe you could keep it up to date there?

Would you be willing to help?
Posted: 2009/8/20 17:49 • Updated: 2009/8/20 17:49
Mamba
Mamba:
I do not have access to SVN on SourceForge.
I can help with Russian localisation. If will give access and tell as with it to work.

Forgive for my English .
Posted: 2009/8/20 18:11 • Updated: 2009/8/20 18:12
andrey3761
Andrey, just become a member on SourceForge (www.sourceforge.net), and then let me know your user name there.

We'll take it from there.
Posted: 2009/8/20 18:22 • Updated: 2009/8/20 18:22
Mamba
Mamba:
Has sent user name in PM.
Posted: 2009/8/20 18:52 • Updated: 2009/8/20 18:52
andrey3761
Well, I just applied the patch to my live site and now I can't access the admin pages. I get a white screen. I can't turn on debug because of that. Fortunately I backed up before uploading and overwriting the files in PM and Protector and I didn't do an update. I'm about to overwrite those folders again with the old files.

[Update] I have now copied the old PM and Protector folders back to my site and I can see the admin pages again. I have a copy of my site that I use for testing. If you want me to I can try this update again on that site, having turned on debug first to see if I can identify the problem. Let me know.

barryC
Posted: 2009/8/21 14:20 • Updated: 2009/8/21 14:29
barryc
Did you upload protector files to xoops_lib?
Posted: 2009/8/21 14:33 • Updated: 2009/8/21 14:33
trabis
I thought I followed the readme exactly but now I'm not sure. Let me try it again. Nobody else has reported it so I probably did something wrong. Too many projects going on at once here.

I'll report back.

BC
Posted: 2009/8/21 15:28 • Updated: 2009/8/21 15:28
barryc
OK. I repeated the update and it's working fine. Obviously either I did something wrong (the most likely) or the upload didn't complete, or some such thing.

My apologies for wasting your time.

barryC
Posted: 2009/8/21 15:36 • Updated: 2009/8/21 15:36
barryc
The new package of XOOPS 2.3.3 in French are available in download here
Posted: 2009/8/22 13:49 • Updated: 2009/8/22 13:49
DuGris