Difference of security patches between www.xoops and jp.xoops (updated)
Date 2005-11-15 18:37:43 | Category: XOOPS
|
 
This is a memo about the differences of "SECURITY FIXES" between www.xoops.org version and jp.xoops.org version.
WWW version:
2.0.13.1 -> 2.0.13.2
JP version:
2.0.12-JP -> 2.0.13a-JP
As 2.2.3 is still vulnerable, I recommend you not to use it yet.
There are 5 vulnerablities found in Oct 2005.
(1) IE only: JavaScript exectable if the URL is started with "j\ta\tv\nascript:" or so on. (Script Insertion)
(2) IE only: If 'Content-Type' in HTTP headers and HTTP contents is different, IE parses the contents as text/html. (XSS)
(3) 'icon' in newbb and comment can be inserted JavaScript. (Script Insertion)
(4) misc.php mail header injection
(5) contact module mail header injection
The original report is from JPCERT. (IPA#77105349)
And this is only (1) and (3).
=God Marijuana= reported (4) and (5) to minahito.
JM2's team reported (1) to minahito.
And fixed codes for 2.0.13a-JP are made by minahito and nobunobu.
Fixed codes for 2.0.13.2 are made by Skalpa reading 2.0.13a-JP patches as references.
Detail description:
(3)
This is just false report.
As icon field is enough short, attacker can't insert any attackable JavaScript.
JPCERT should be denounced that they don't confirm the report.
(5)
contact module is well-known BAD MODULE.
You should delete the module.
(4)
There are no differences between the patches.
Good patches.
(1)
There is an important difference between JP and WWW.
JP version:
check only [ img] tags.
WWW version:
all pattern of "j{$c}v{$c}a{$c}s{$c}c{$c}r{$c}i{$c}p{$c}t{$c}:" should be sanitized.
With the sight of these patches, WWW version looks safer than JP version.
(2)
There is an important misunderstanding in WWW version.
Only JP version patches can prevent from the attacks named "uploading XSS".
If you use 2.0.13.2, I recommend you to overwrite class/module.textsanitizer.php inside 2.0.13a-JP version.
|
|