51
sum
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/15 19:41

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12


In the range that I understand,
(There is a gap on the first or less at the date because local time has mixed.)

This security hole was reported by the third party in the forum on a certain site on January 17.
(you can find google's cache)
Module author's wjue recognized this problem on the same day.
And, corrected new version 1.2.2 is released on January 28.

A part of site where it does it and back and forth and this module was used:
- SourceForge.jp : on January 21
http://sourceforge.jp/forum/forum.php?forum_id=4153
- Deg-fanclubsued.de : on February 5.
http://www.myxoops.org/modules/newbb/viewtopic.php?topic_id=1899&forum=13
The crackings were tried. The falsification was actually done for Sorceforge.JP.

This report has been submitted addressed to the server manager by the third party on February 3.
Though it seemed to have taken measures on the same day,
there was no report in XOOPS Japanese team at this point.

This matter was suddenly posted in the Sorceforge.JP forum on February 13.
And all users of Sorceforge.JP also got the report by mail.
It was reported in the Slashdot.JP and a part of mass communication in response to this.
- http://slashdot.jp/article.pl?sid=04/02/13/0821250&topic=92
- http://internet.watch.impress.co.jp/cda/news/2004/02/13/2089.html
- http://www.itmedia.co.jp/enterprise/0402/13/epn04.html

We (XOOPS Japanese team) began investigating panicking, it tempered with the influence level to XOOPS in Japan, and it announced to public by news in the exception on February 13.
- http://www.xoopscube.jp/modules/news/article.php?storyid=195
And, because the part where the correction was insufficient was discovered by 1.2.2 when investigating,
The report was submitted from Onokazu to Module author's wjue.
Therefore, we think the posted patch code to be a temporary, to the private patch.

GIJOE - he is not member of XOOPS Japanese team - started this thread on February 13.
(It is the February 14 actually considerable from announcing to public of Japanese team.)
If GIJOE did not start up this thread, I will have been setting up the thread of this matter first.

The following settlement is in this thread.

# I'm tired to write...

I want to say,
- Do not say that someone is bad.
(Excluding the crackers)
- Let's discuss the problem in the entire XOOPS community.
(I think that the bug tracking and advisory of security are insufficient.)
- A lot of sites where the hole remains still exist.
(Shut your hole early by fix! )

52
GIJOE
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/15 20:50

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

sum wrote:
I want to say,
- Do not say that someone is bad.
(Excluding the crackers)
- Let's discuss the problem in the entire XOOPS community.
(I think that the bug tracking and advisory of security are insufficient.)
- A lot of sites where the hole remains still exist.
(Shut your hole early by fix! )

I agree with you entirely.

And this wiki is a very useful information made by minahito who is one of the most respectable programmer.
I'm happy if someone translate the article into English and write it into Wakka of wiki.xoops.org

53
wjue
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/15 22:21

  • wjue

  • Quite a regular

  • Posts: 315

  • Since: 2002/8/3 7


No, I received a PM with a proposition for fixe on feb 14, many messages had been exchanged here. And my own fixe is released on feb 15. I wonder Who was frustrated.

wjue


Quote:

sunsnapper wrote:
I think it is worth noting that a fix was made, so there is no great cause for alarm. If I am reading the thread correctly, a fix was sent to the developer, but, not released by the developer... hence the frustrated post here. Most of the rest of the "heat" of this thread has been caused by communication difficulties... with people struggling with English, I try to overlook the lack of diplomatic language.

54
DonXoop
Re: Security fix of Agenda-X - No Panic needed - Just apply fix

less arguing, more coding.

The fix is in, all is right with the world. At least on this side. Not so sure about the other side of the planet. There is more to this story. But I'm not interested in the gossip, only safe apps.

I had another crack attempt last night. This time from a .mil IP owned by the Pentegon. All they got was my Fear the Penguin page. Just like the 20 before.

Best way to impress me with competting calendars is to make yours better.

Time to lock the thread and get back to the keyboard....

55
Chainsaw
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/15 22:35

  • Chainsaw

  • Quite a regular

  • Posts: 304

  • Since: 2003/9/28


I second that motion. Drink some tea everyone. Tea is good for you.

56
sum
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/16 9:13

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12


I drank tea, drank Chinese tea, and drank Japanese tea:
while each thinking of person's situation.

I built up new topic for speaking it having been made think by this matter.
Where is the problem? (report, advisory, and the mediation of the security bug)

Please give the discussion and the suggestion.

Thanks,

57
arianet
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/16 15:57

  • arianet

  • Just popping in

  • Posts: 5

  • Since: 2004/2/3 9


I was happy whith the "panic" warning. In Germany several sites have been cracked. Because of my hoster, I have no possibility to set register_global off and at least 7 people came to my site on friday with the search string "allinurl:/ag*****/" in Google, before I removed the modul. So it is very easy to find sites to crack.

58
GIJOE
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/16 20:22

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi arianet.

I'm happy my warning was useful for you.

For a security for all of XOOPSers, I will perform the villain with pleasure.

59
Ace_Armstrong
Re: Security fix of Agenda-X - No Panic needed - Just apply fix

Ya know, GIJOE, it's not the fact that you pointed out a security flaw in what was an unnecessarily abrasive manner that's the real problem. The problem is that it seems every other post of yours is some kind of disparaging remark about wjue or his modules, or some kind of unnecessary (and frankly immature) bravado about how you (for some unfathomable reason) think your modules are the end-all be-all of programming. It's your overall attitude that's making people see you as the villain, not this isolated incident.

Your attitude has historically been one that has been extremely negative, and your attitude--more than any security flaw in some module--is what is destructive to this project. I don't know if you have some kind of personal issue with wjue, or just an overinflated ego, or what, but you really need to get over it and start being a team player. A little maturity will go a long ways.

60
ByGreen
Re: Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/17 10:59

  • ByGreen

  • Just popping in

  • Posts: 7

  • Since: 2003/7/23


Quote:

Ace_Armstrong wrote:

Your attitude has historically been one that has been extremely negative, and your attitude--more than any security flaw in some module--is what is destructive to this project.


Yes, it's the attitude that matters. Far more than any other issue.

Login

Who's Online

394 user(s) are online (99 user(s) are browsing Support Forums)


Members: 0


Guests: 394


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits