We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Multiple vulnerabilities in Oxwall 1.7.0 (build 7907) | Forum

LiquidWorm
LiquidWorm Jul 23 '14
Hello,

I want to report several high risk vulnerabilities in the latest release of Oxwall. These include: Remote Code Execution (RCE), Cross-Site Request Forgery (CSRF/XSRF) and Persistent Cross-Site Scripting (XSS).

Please reply to my two e-mails I've sent previously that I didn't got any response to. There will be an official advisory release for these issues.

Thanks,
ross Team
ross Jul 24 '14
Liquid, on which e-mail you sent messages? as to the risk vulnerabilites, can you please provide examples or exact spot in the code? that would be great. 
LiquidWorm
LiquidWorm Jul 24 '14
I've sent e-mails from: http://www.oxwall.org/contact

Please contact lab@zeroscience.mk for further details.

Exact spot in the code:
--
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.xml|\.feed|robots\.txt|\.raw|/[^.]*)$  [NC]
--
Kяuncн Leader
Kяuncн Sep 29 '14
Not sure if recent discoveries of Vulnerabilities has been fixed/Addressed since 1.7.0 (build 7907 and 7906) but if not here is some information on these 2 discoveries at:
Multiple CSRF And HTML Injection Vulnerabilities
and
Remote Code Execution Exploit   Open here|--->  Oxwall 1.7.0 - Remote Code Execution Exploit


The Forum post is edited by Kяuncн Sep 29 '14
ross Team
ross Sep 30 '14
These issues have been already addressed and fixed in 1.7.1
Kяuncн Leader
Kяuncн Sep 30 '14
Awesome stuff, thanks.