Hi All,
Thanks for reporting. I checked XSS as this issue. Well, I can put script in it, but it's not work at browser level. Because template is not shows those parameters.
But I guess, we feel something wrong. So I added more sanitize code.
And released Ver3.21
DOWNLOAD HERE
We have changed to the SVN, return to Sourceforge. Our old/new code is here:
http://galeriayogurt.svn.sourceforge.net/viewvc/galeriayogurt/core/trunk/
Updated information , http://osvdb.org/search?request=yogurt
look other solution link , it´s a reference to this post
and look solution section.. 'Currently, there are no known workarounds or upgrades to correct this issue. However, ImpressCMS (m0unty ) is working to address this vulnerability.'
osvdb is a open source project and it´s updated by comunity contributors.
None interesting that provide the best security reference for a vulnerability, wen a vulnerability have any update , any one of contrbutors can add the information for update it.
Thnx to all who has involved in working to patch !!!
Thanks again, i have sended this info to the dev.
shure !!
this can be patch here too in class/PopnupBlogUtils.php
arround line 63 if you look some params are sanitized ,in original function , but not all...
Yes i have a error in the version ,i test it in version 3.20 from here => http://www.bluemooninc.biz/~xoops2/modules/mydownloads/singlefile.php?cid=3&lid=35
and it is vulnerable ;)
i'm not sure if wen we try to fix 'param' variable with :
Thanks, but I thought the latest version of PopnupBlog is 3.20 and that this version was fixed. See Secunia SA29993.
I can see Alfred's making some good progress on security as well
##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################
PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
PopnupBlog 3.30 code name: Denali
Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
But you can edit the source code and ix it like:
for fix 'param' open index.php and arround line 37 we have
Hello,
i have added "dhcst" aka @Alfred and "m0unty_" aka @Vaughan as developer.
And i have changed from cvs to svn on https://sourceforge.net/projects/galeriayogurt/
After i have copied our latest version to sf.net
Alfred has added the first commit
I think we can creat a very nice modul, which also works with Xoops. If more development part, the result is better.
Sorry for taking so long to post here in this forum. I am watching the impress cms project and am happy with its evolution.
I have posted a news on sourceforge and hope everyone interested on the project read it.
http://sourceforge.net/forum/forum.php?forum_id=860075
I would like to thanks again everyone that is helping on this project and promise to come back on the code one day whe my life outside xoops, impresscms world is less busy.
I am finisihing my master in software engineering and will star a new one in software security and risk management so I will remain busy till october 2009.
Thanks to my friend edvbox xoopsmagazine or sato as he is called here for all this help.
I am not a great fan of reporting vulnerabilities outside the user communities.
The vulnerability gets reported to OSVDB, milw0rm, Secunia, etc. but never that it has been fixed. These databases never remove these reports after the vulnerability has been fixed. This often leads to all kind of hack attempts for a long period of time by the script-kiddies. In the worst case these kiddies succeed because the developper(s) maybe can't fix it quick enough or are unaware of the vulnerability.
The communities should track these vulnerabilities and if discovered place the module offline from the download area.
It was a dark and stormy day as the wannabe ICMS module developer caressed the keys in an attempt to coax a new ImpressCMS module to life (well, actually it was just kind of cloudy with a chance of thunderstorms).
He wanted to make his new creation very user friendly to administrate (because, after all, he finds himself whining quite a bit about how some others implement their code), so he selected an intuitive push button approach to various functions within an administrative tabs setup to make the job easier.
Our dubious hero uses the ImpressCMS 1.1 beta platform and had though how smart he was in doing the right thing by his installation, making sure that Protector was installed and operating. He felt good in knowing that his site was protected from the bad guys and knew in his heart that it was a good thing to implement.
As he tested away on his module, he found an odd problem kept resurfacing. Suddently, for no apparent reason, the pages would go blank, without an error. He found he needed to reboot the webserver process in order to get around the problem. How strange, he thought.
He struggled with his code, looking here and there for the answer to this intense and growing mystery. Finally, after several hours of developing, going back to restart the webserver fairly often, he checked back into his Protector module. He discovered that indeed an IP had been blocked for what Protector saw as a denial of service attack from non other than his own IP.
Feeling stupid about such an obvious thing, he added that IP to the exclude list and smiled to himself when he saw the problem vanish. "Better make a note to myself about that, just in case I see that again on the user side - might need to change the default Protector parameters", he thought as he drifted back to his code...
Thnx !
I go to update this information !!
good work :)
Hi,
m0unty has worked on:
http://impresscms.svn.sourceforge.net/viewvc/impresscms/modules/yogurt_v3.3rc1/trunk/
Hello !
Anyone has patch or update or workarround for this module??
i go to Mangling and documentation all of these vulnerabilities in osvdb.org
http://osvdb.org/search?request=yogurt
if anyone have some information please let me know thnx !!!
Thanks for info. I have added the list in my ImpressCMS:
I don't think it's a coincedence that these injection attempts happen during the weekends. During the weeks it's collecting links to attack in the weekends.
On my website I use the counter PHP-Stats, and often there are entries that have the following remarks:
- OS: Windows XP
- Browser: IE6/IE7
- resolution: ??
And only 1 page visited.
The details of the injection attempts are actually the same except it's not 'visiting' one page. During the injection attempt normally twice the same page is visited with 2-5 seconds inbetween. Sometimes another attempt happens a little later by the same IP.
Spam is something that is part of this world, but hopefully it should be terminated once and forever.
I am blocking in htaccess Internetserviceteam.com and keymachine.de (click links for info) because they're known content scrapers and spam bots: