[UNIX] Xoops Private Message System Script InjectionFrom: firstname.lastname@example.org
- Previous message: email@example.com: "[NT] PHP and JSP Trailing Slash Exposure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: firstname.lastname@example.org To: email@example.com Date: Sun, 3 Feb 2002 22:10:57 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Xoops Private Message System Script Injection
<http://xoops.sourceforge.net/> Xoops is an open source portal script
written extensively in object-oriented PHP and backed with MySQL Database.
There are several security issues:
- Xoops discloses the SQL query source
- Xoops allow remote user to SQL query injection
- Xoops is vulnerable to cross-site-scripting
Xoops version RC1
Xoops version RC2
The userinfo.php script does not check for special meta-characters in
It is possible to make it crash using this kind of query:
The error report will include:
MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s WHERE
u.uid=1; AND u.uid=s.uid
Error message: You have an error in your SQL syntax near '; AND
u.uid=s.uid' at line 1
This discloses a lot of information that helps perform an SQL injection
attack, such as
In addition, Xoops Private Message Box is vulnerable to cross site
scripting. For example:
http://xooped-site/pmlite.php?to_userid=[USER_ID_OF_TARGET]&msg_id=&image=foo.gif'><script alert("test");</script><img%20src='http://www.isecurelabs.com /images/barre.jpg&op=submit&theme=snow&subject=Are you sure ?&message=really?&submit=Submit
More about SQL injection:
The information has been provided by
<mailto:firstname.lastname@example.org> Cabezon Aurelien.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.