Presenting The XOOPS Input Invalidation Flaws

It is extremely vital to have a sound basic knowledge of computer security. You do not need to be a computer security guru and you most definitely don't need to have developed antivirus software. All that is really required is a basic ability to detect a problem and have a level of awareness. If you have even a minimal level of computer security awareness you may be able to detect when something is not quite right, and if you are able to do this then you may be able to counteract the problem in due course. At the end of the day you want to be able to have just enough knowledge to keep your machine as vulnerability free as possible. Reading some vulnerability information may be a good way to stay aware. You can start by reading about a vulnerability which was recently reported in XOOPS.

Let's start by introducing you to XOOPS. It is a web based application platform which is geared for the MYSQL database. It is a wonderful tool to use if you wish to develop a community website of any size. It has many exciting features and is a remarkable tool to use to get you started on your journey. For those of you who may be curious to know, It is written in the programming language PHP. XOOPS is compatible with the Mac, Linux and Windows operating systems. This includes the Windows 95 operating system. Some of the files of Windows 95 may include: a2560.sys, apm.inf, BCHOOSER.EXE, BD2.EXE as well as chipsn.inf.

There are two scripts within XOOPS which do not filter the HTML code that comes from the user supplied input, prior to displaying the input. These do not filter correctly and could result in problems. A malicious online attacker would be able to take advantage of this error by using a manipulated URL that, when it is loaded by a target user, will result in the execution of arbitrary script code.

This vulnerability affects the following parameter: The 'op' parameter of ‘viewpmsg.php' as well as the query string of ‘user.php'. If this vulnerability is exploited in the correct manner, then the results could be harsh. A malicious online attacker will be able to access a victim's cookies. This may directly result in the online attacker being able to perform actions on the site with regard to XOOPS, when pretending to be the victim. The alarming aspect in this regard is that the malicious online attacker will then be able to see everything that the chosen victim is able to see, with the inclusion of confidential information.

You may be wondering which versions of XOOPS this vulnerability has been found in. The affected versions include the 2.3.3 version. It is vital for all XOOPS users to acknowledge the factor that other versions may also be affected. It is recommended that all users apply the patch made available by the Vendor. I would like to thus leave you with this quote: "Are hackers a threat? The degree of threat presented by any conduct, whether legal or illegal, depends on the actions and intent of the individual and the harm they cause."-Kevin Mitnick