Bugtraq mailing list archives
Re: Xoops RC3 script injection vulnerability
From: Sergio <w4z002 () hotmail com>
Date: 26 Sep 2002 12:51:08 -0000
In-Reply-To: <200209241358.g8ODwqx97021 () mailserver2 hushmail com>
-------------------------------------------- | Xoops RC3 script injection vulnerability | -------------------------------------------- PROGRAM: Xoops VENDOR: http://www.xoops.org/ VULNERABLE VERSIONS: RC3.0.4,possibly previous versions IMMUNE VERSIONS: no immune current versions SEVERITY: high
This Is not correct inmune versions : no inmune ?? Xoops settings : admin > system admin > preferences > html OFF (for what do you think that exist this ??) This is not a HOLE in xoops. You are used a bad setting in you site. The next Rc of Xoops have disable totaly the html post for the users only accept bbcode.
Vendor status ============= I wanted to inform someone from Xoops.org but the website wasn't
available, so I informed the French team. They weren't aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which is not specific to Xoops but with much of scripts.
In future version, a new filter will be inserted in the textsanitizer to
avoid even more this risk. Nopes we can't add all new vulnerability to the textsanitizer, the solution is more simple, disable totaly the html post for the users. If you add each little vulnerability to the testsanitizer the file go to have 1 mb :-) w4z004 Xoops Spanish Support Xoops dev Team
Current thread:
- Xoops RC3 script injection vulnerability das (Sep 24)
- <Possible follow-ups>
- Re: Xoops RC3 script injection vulnerability Sergio (Sep 27)
- Re: Xoops RC3 script injection vulnerability RuIezz (Sep 28)