[27213] in bugtraq
Re: Xoops RC3 script injection vulnerability
daemon@ATHENA.MIT.EDU (Sergio)
Fri Sep 27 16:37:15 2002
Date: 26 Sep 2002 12:51:08 -0000
Message-ID: <20020926125108.5544.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Sergio <w4z002@hotmail.com>
To: bugtraq@securityfocus.com
In-Reply-To: <200209241358.g8ODwqx97021@mailserver2.hushmail.com>
>--------------------------------------------
>| Xoops RC3 script injection vulnerability |
>--------------------------------------------
>
>
>PROGRAM: Xoops
>VENDOR: http://www.xoops.org/
>VULNERABLE VERSIONS: RC3.0.4,possibly previous versions
>IMMUNE VERSIONS: no immune current versions
>SEVERITY: high
>
This Is not correct
inmune versions : no inmune ??
Xoops settings : admin > system admin > preferences > html OFF (for what
do you think that exist this ??)
This is not a HOLE in xoops.
You are used a bad setting in you site.
The next Rc of Xoops have disable totaly the html post for the users only
accept bbcode.
>Vendor status
>=============
>I wanted to inform someone from Xoops.org but the website wasn't
available, so I informed the French team. They weren't aware of this
problem so they transmitted it to the Dev Team. The Dev Team had already
located the vulnerability which is not specific to Xoops but with much of
scripts.
>In future version, a new filter will be inserted in the textsanitizer to
avoid even more this risk.
Nopes we can't add all new vulnerability to the textsanitizer, the
solution is more simple, disable totaly the html post for the users.
If you add each little vulnerability to the testsanitizer the file go to
have 1 mb :-)
w4z004
Xoops Spanish Support
Xoops dev Team
