Re: Xoops RC3 script injection vulnerability

[Sergio <w4z002 () hotmail com>]

In-Reply-To: <200209241358.g8ODwqx97021 () mailserver2 hushmail com>


> --------------------------------------------
> | Xoops RC3 script injection vulnerability |
> --------------------------------------------
>
>
> PROGRAM: Xoops
> VENDOR: http://www.xoops.org/
> VULNERABLE VERSIONS: RC3.0.4,possibly previous versions
> IMMUNE VERSIONS: no immune current versions
> SEVERITY: high

This Is not correct
inmune versions : no inmune ??

Xoops settings :  admin > system admin > preferences > html OFF  (for what 
do you think that exist this ??)

This is not a HOLE in xoops.
You are used a bad setting in you site.
The next Rc of Xoops have disable totaly the html post for the users only 
accept bbcode.


> Vendor status
> =============
> I wanted to inform someone from Xoops.org but the website wasn't 
available, so I informed the French team. They weren't aware of this 
problem so they transmitted it to the Dev Team. The Dev Team had already 
located the vulnerability which is not specific to Xoops but with much of 
scripts.
> In future version, a new filter will be inserted in the textsanitizer to 
avoid even more this risk.

Nopes we can't add all new vulnerability to the textsanitizer, the 
solution is more simple, disable totaly the html post for the users.
If you add each little vulnerability to the testsanitizer the file go to 
have 1 mb :-)

w4z004
Xoops Spanish Support
Xoops dev Team