======================================================================== = CodeScan Advisory, codescan.com = = Multiple vulnerablities in Xoops 2.4.3 = = Vendor Website: = http://www.xoops.org = = Affected Version: = Xoops 2.4.3 And Earlier = = Researched By = CodeScan Labs = = Public disclosure on January 19th, 2010 ======================================================================== == Overview == CodeScan Labs (www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input. During the ongoing testing of CodeScan ASP, Xoops was selected as one of the test applications. We downloaded Xoops from the Xoops website http://sourceforge.net/projects/xoops/files/XOOPS Core (stable releases)/XOOPS 2.4.3/. This advisory is the result of research into the security of Xoops, based on the report generated by the CodeScan tool. == Vulnerability Details == * File Deletion through unlink * The unlink function is used by a web page to delete a file on the web server. The unlink function was found to be used with user input: unlink($oldsmile_path); Although the filter functions like str_replace are used: $oldsmile_path = str_replace("\\", "/", realpath(XOOPS_UPLOAD_PATH.'/'.trim($_POST['old_smile']))); It is not a strong enough for CodeScan Developer to count it as a filter. It is potentially dangerous for user to have direct input of what to delete, dependent on the access and permission the user holds. It is recommended that user permissions and access are constrained to prevent exploitation. * HTTP Response Splitting via Header * Codescan Developer has identified that the application header has the $redirect variable involved with a user input with no validators or restrictions, or custom filters function. $redirect = trim($_GET['xoops_redirect']); and: header('Location: ' . $redirect); It is potentially dangerous at this point where a malicious user could inject malicious codes into the header; next time a user accesses the page, can cause it to execute that malicious code. == Credit == Discovered and advised to the vendor by CodeScan Labs == About CodeScan Labs Ltd == CodeScan Labs is a specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET and PHP. CodeScan Labs operates with Responsible Disclosure. As a result, any published advisories will contain information around problems identified by CodeScan, that have been resolved by the vendor.Additional code problems which may be identified by CodeScan or its staff which are not resolved by the vendor will not be made publicly available. -- This message has been scanned for viruses and dangerous content by Bizo EmailFilter, and is believed to be clean.