('binary' encoding is not supported, stored as-is) www.phpsecure.org advisory. In french : http://www.phpsecure.org/?zone=pComment&d=101 By valdeux Publiacted on december, 13th 2002 As most part of PHP CMS, XOOPS allows users to send and receive Private Messages (PMs), that are saved on the DataBase. We found how all messages are readable. And sure, we give you a solution. Product : XOOPS Version : RC3 (tested) File : /pmlite.php Bug : if ($reply == 1) { $pm = new XoopsPM($msg_id); $pm_uname = XoopsUser::getUnameFromId($pm->getVar ("from_userid")); $replytext = "[quote]\n"; $replytext .= sprintf(_PM_USERWROTE,$pm_uname); $replytext .= "\n".$pm->getVar("msg_text", "E")."\n [/quote]"; Solution : A patched file is available on www.phpsecure.org : http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=x patch : ligne 76 : if($pm->getVar("to_userid") != $xoopsUser->getVar ("uid")) ligne 77 : die("Désolé, c'est patché :)<br><br><a href=\"http://www.phpsecure.org\">phpSecure();</a>"); Thanxxx : Magistrat for his website (www.blocus-zone.com) that allows me to test XOOPS every day :p PhpSecure Team (www.phpsecure.org, don't forget ;)) xoops.org, because their CMS is a nice one. Let's secure it ;)
This archive was generated by hypermail 2b30 : Fri Dec 13 2002 - 08:59:52 PST