16th Dec 2002 [SBWID-5875]
COMMAND
Anyone can read all XOOPS private messages via pmlite.php
SYSTEMS AFFECTED
XOOPS RC3 (tested)
PROBLEM
Thanks to valdeux [valdeux@aol.com] advisory :
http://www.phpsecure.org/?zone=pComment&d=101
As most part of PHP CMS, XOOPS allows users to send and receive Private
Messages (PMs), that are saved on the DataBase. We found how all
messages are readable, Bug :
if ($reply == 1) {
$pm = new XoopsPM($msg_id);
$pm_uname = XoopsUser::getUnameFromId($pm->getVar
("from_userid"));
$replytext = "[quote]\n";
$replytext .= sprintf(_PM_USERWROTE,$pm_uname);
$replytext .= "\n".$pm->getVar("msg_text", "E")."\n
[/quote]";
SOLUTION
A patched file is available on www.phpsecure.org :
http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=x
patch :
ligne 76 : if($pm->getVar("to_userid") != $xoopsUser->getVar("uid"))
ligne 77 : die("Désolé, c'est patché :)<br><br><a href=\"http://www.phpsecure.org\">phpSecure();</a>");
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
