Hi! I found a vulnerability that may allow remote attackers to pass malicious input using an 'id' URI parameter in 'index.php' with the login block active in the Legacy root. Example:
Accessing this as anonymous:
http://localhost/index.php?id='www.xoopscube.com.br
...will result in:
<input type="hidden" name="xoops_redirect" value="/index.php?&id='www.xoopscube.com.br" />
This vulnerability CAN be used to spamming, PROBABLY CAN be used in heavy XSS attacks, and MAYBE allow remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
Logged In: YES
user_id=1102607
Originator: NO
Redirect URL is encoded and embedded to the form. How do you use this spec to attack others?
And, even if we should not use xoops_redirect, what do you replace this with?
Logged In: YES
user_id=64845
Originator: YES
Sorry my mistakes!
I had found a serious ID bug in an old version of the news module from InstantZero (2007),
but I think IS NOT RELATED WITH XOOPS CUBE.
And I was wrong too when I thought that the XOOPS Cube reacted in an unusual way that could allow the inclusion of BAD URLs and/or bad content for black seo attacks and/or promotion (my example in this page was really dumb). It seems that I was wrong because the inclusion of content on pages is something very common, with no problems related. BUT... the only problem in the XOOPS case is that the system does not change the robots value automatically from "INDEX" to "NOINDEX" (this is valid for the search.php mostly). Resume: this allows black SEO users to ATTACK or PROMOTE their URLs or contents (small texts or keywords).
Example:
http://localhost/search.php?action=results&andor=OR&query=porn+sex
http://localhost/search.php?action=results&andor=AND&query=warez+black+seo
http://localhost/search.php?action=results&andor=AND&query=XXX+Better+than+YYY
http://localhost/search.php?action=results&andor=AND&query=http://www.visit-my-web-site.xyz
Please, check the (lack of) quality of the results of the searches below:
http://google.com/search?q=site:xoopscube.org/user.php&safe=off
http://google.com/search?q=site:xoopscube.org/search.php&safe=off
http://google.com/search?q=site:www.xoops.org/user.php&safe=off
http://google.com/search?q=site:www.xoops.org/search.php&safe=off
This problem is compounded with the way that system engines score a website from the link structure. For example, files like:
/register.php
/user.php
/search.php
are POTENTIALLY very more important than a news like:
/modules/Xigg/index.php/node/1234
Is easy to check this, just search for
http://google.com/search?q=site:xoopscube.jp/+\***+-brpn&safe=off
(query = site:xoopscube.jp/ *** -brpn )
(what I mean is... each "/" in a website structure can means "less priority" so fakes urls can have a high score or more score than normal urls. URLs like /?id=PORNOGRAPHY (just a sample) can have more score than a /modules/news/index.php/node/1234 - of course, the size and structure of urls are just one from more than 200 factors in a system like google)
But this is not only about SEO. These URLs without content are checked continuously by search engines, this unnecessarily consumes bandwidth and resources of the server.
Logged In: YES
user_id=64845
Originator: YES
Ah! Before close this BUG ("it needs confirming"): XOOPS Cube allows the inclusion of ( and ) chars. Even if I do not know how this can be used in practice, the link above recommends to encode these chars too:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html
Good links about XSS:
http://xss-proxy.sourceforge.net/
http://ha.ckers.org/xss.html
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html
http://www.gnucitizen.org/blog/how-to-make-money-with-xss/
Logged In: YES
user_id=64845
Originator: YES
I've fixed the bug. But, it needs confirming before closing.
> This problem is compounded with the way that system engines score a
> website from the link structure. For example, files like:
> /register.php
> /user.php
> /search.php
> are POTENTIALLY very more important than a news like:
> /modules/Xigg/index.php/node/1234
That's impossible. There are many existing XOOPS Cube Legacy users. The simple URL needs the specific server setting. All users can not change from existing PHP setting to such a setting. Many compatibility will be lost. Instead of compatibilities, confusions will come here.
I have a question. It seems that SEO problem. Is that bug? Should we fix this bug, even if we lost many compatibilities?
Enhancements are very important. But, we need to discriminate between BUG and FEATURE-REQUEST. The purpose of Legacy is compatibility for X2. Is keeping compatibility with X2 is a bug?
I think the simple URL is a homework for the next-gen BASE that is not Legacy.
Do you have another solution that keeps compatibility with X2 and X2's modules?
Hi! Sorry, I wrote a long brainstorm before my last post, creating confusion...
Please, paid attention only in my last post about the inclusion of parenthesis without encoding/filtering.
(better close this and create a new artifact about it?)
Anyway, I wrote:
[quote]
Before close this BUG ("it needs confirming"): XOOPS Cube allows the
inclusion of ( and ) chars. Even if I do not know how this can be used in
practice, the link above recommends to encode these chars too:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html
Good links about XSS:
http://xss-proxy.sourceforge.net/
http://ha.ckers.org/xss.html
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html
http://www.gnucitizen.org/blog/how-to-make-money-with-xss/
[/quote]
About your last post: I agree with you, sure. Again, sorry for my long off-topic text.
And in my brainstorm I wrote about Black SEO as a kind of Cracking. This is just my point of view, but shared by many others too.
Question: Is Black Hat SEO A Form Of Hacking? Please, check the link above:
http://forums.searchenginewatch.com/showthread.php?t=6550
[OFF-TOPIC]
Hi Mikhail,
I sent a mail to your mikhail at users.sourceforge.net, to ask you to join our development directly.
Please, check your mailbox.
XCL 2.1.x can not fix this issue. But, XCL 2.2 can have some new mechanics, so the 2.2 may be able to fix this issue.