===================================================================== CERT-Renater Note d'Information No. 2008/VULN561 _____________________________________________________________________ DATE : 09/12/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running XOOPS versions 2.3.x, XOOPS Protector module. ====================================================================== http://www.xoops.org/modules/news/article.php?storyid=4563 ______________________________________________________________________ Security : XOOPS 2.3.2b - Security Release Posted by phppp on 2008/12/7 7:10:00 (724 reads) Security The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release. This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky. In the 2.3.2b release we have further improved security fixes with help from DSRG. All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP. XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues. Download from Sourceforge repository. System requirements ----------------------------------- PHP: Any PHP version >= 4.3 (PHP 4.2.x may work but is not officially supported, PHP 5.0+ is strongly recommended) MySQL: MySQL server 3.23+ (MySQL 5.0+ is strongly recommended) Web server: Any server supporting the required PHP version (Apache highly recommended) Downloading XOOPS 2.3.2b ----------------------------------- Your can get this release package from the Sourceforge repository. Both .zip and .gz archives are provided. Installing XOOPS 2.3.2b ----------------------------------- 1. Copy the content of the htdocs/ folder where it can be accessed by your server 2. Ensure mainfile.php and uploads/ are writable by the web server 3. For security considerations, you are encouraged to move directories "/xoops_lib" (for XOOPS libraries) and "/xoops_data" (for XOOPS data) out of document root, or even change the folder names. 4. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 5. Access the folder where you installed the htdocs/ files using your web browser to launch the installation wizard Installing Protector in XOOPS 2.3.2 ----------------------------------- We also highly recommend the installation of the PROTECTOR module which will bring additional security protection and logging capabilities to your site: To install Protector module for the first time with a new installation of XOOPS 2.3.2, copy /extras/mainfile.dist.php.protector to /htdocs/mainfile.dist.php BEFORE installing XOOPS. If you are upgrading an existing XOOPS Website (see below how to do it), and Protector is already installed there, copy /extras/mainfile.dist.php.protector to /upgrade/upd-2.0.18-to-2.3.0/mainfile.dist.php BEFORE upgrading XOOPS. Upgrading from a previous version ----------------------------------- As always, make sure you have a fresh BACKUP before you upgrade!!! Upgrading from XOOPS 2.3.x (easy way) 1. Get the update package from the sourceforge file repository 2. Overwrite your existing files with the new ones 3. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine 4. Access /upgrade/ with a browser, and follow the instructions 5. Follow the instructions to update your database 6. Delete the upgrade folder from your server 7. Update the "system" module from the modules administration interface, other modules, especially "profile" are recommended to update as well Upgrading from XOOPS 2.0.* above 2.0.14 and 2.2.* (using the full package) 1. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine 2. Delete htdocs/mainfile.php, htdocs/install/, htdocs/cache/, htdocs/extras/, htdocs/template_c/, htdocs/themes/ and htdocs/uploads/ from the "htdocs" folder on your LOCAL machine 3. Upload the content of the htdocs folder on your LOCAL machine over your existing files on your server 4. For security considerations, you are encouraged to move directories xoops_lib (for XOOPS libraries) and xoops_data (for XOOPS data) out of document root, or even change the folder names. 5. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 6. Ensure the server can write to mainfile.php 7. Access /upgrade/ with a browser, and follow the instructions 8. Follow the instructions to update your database 9. Write-protect mainfile.php again 10. Delete the upgrade folder from your server 11. Update the "system" module from the modules administration interface, other modules are recommended to update as well Upgrading from any XOOPS ranging from 2.0.7 to 2.0.13.2 (using the full package): 1. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your LOCAL machine 2. Delete htdocs/mainfile.php, htdocs/install/, htdocs/cache/, htdocs/extras/, htdocs/template_c/, htdocs/themes/ and htdocs/uploads/ from the "htdocs" folder on your LOCAL machine 3. Upload the content of the htdocs folder on your LOCAL machine over your existing files on your server 4. Delete the following folders and files from your server (they belong to an old version): * class/smarty/core * class/smarty/plugins/resource.db.php 5. Ensure the server can write to mainfile.php 6. For security considerations, you are encouraged to move directories xoops_lib (for XOOPS libraries) and xoops_data (for XOOPS data) out of document root, or even change the folder names. 7. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 8. Access /upgrade/ with a browser, and follow the instructions 9. Write-protect mainfile.php again 10. Delete the upgrade folder from your server 11. Update the "system" module from the modules administration interface, other modules are recommended to update as well Upgrading a non UTF-8 site: UTF-8 encoding has been introduced into XOOPS 2.3 as default charset. However, there might be some problems with converting existent websites from non UTF-8 charset to UTF-8. Before there is a good enough solution for this conversion, following settings are recommended when you upgrade an existent website if you are not an experienced user: - Select "Do not change" option in "Database character set and collation" step during upgrade process - Modify /languages/yourlanguage/global.php to use existent _CHARSET value if it has been changed to UTF-8 in your new global.php file as define('_CHARSET', 'UTF-8'); Upgrading XoopsEditor package: In the XOOPS 2.3.2b package, there are five editors included: dhtmltextarea and textarea for plain text, fckeditor, tinymce and koivi for WYSIWYG HTML. Since there are some directory structure changes in both fckeditor and tinymce editors, you are recommended to remove existent editors before uploading the new additors. And if you are using fckeditor for modules, please modify module specific configs following the files in /fckeditor/modules/, especially if you use "article" module. Debug information display level ----------------------------------- Since XOOPS 2.3.1 debug information display level is enabled as a temporary solution for 2.3* to show debug information to different level of users: to all users, to members or to admins only. The configuration can be set in /xoops_data/configs/xoopsconfig.php A new debug information renderer is redesigned in XOOPS 3.0 Files integrity check ----------------------------------- The full XOOPS package is released with a script able to check if all the system files have been correctly uploaded to the server. To use it, follow these instructions: 1. Upload the checksum.php and checksum.md5 files located in the XOOPS package root to your XOOPS server folder (putting them next to mainfile.php). 2. Execute checksum.php with your browser 3. If necessary, re-upload the missing or corrupted system files 4. Remove checksum.php and checksum.md5 from your server Modules ----------------------------------- This release contains only the "system-related modules". You are invited to browse the XOOPS modules repository to if you need additional functionality. Note: as a new repository is being built, the current repository is not up-to-date, PLEASE VISIT INDIVIDUAL DEVELOPERS' WEBSITES TO MAKE SURE YOU ARE USING LATEST VERSION OF MODULES. How to contribute ----------------------------------- Bug report: http://sourceforge.net/tracker/?group_id=41586&atid=430840 Patch and enhancement: http://sourceforge.net/tracker/?group_id=41586&atid=430842 Feature design: http://sourceforge.net/tracker/?group_id=41586&atid=430843 Release announcement: https://lists.sourceforge.net/lists/listinfo/xoops-announcement XOOPS Development Team December 7th, 2008 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================