Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
8 - 5 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
   

Re: Protector Module in XOOPS 2.4.4
by ghia on 2010/7/7 21:02:44

And if you want the 3.41 corrections, as said before, add them yourself in the files, as they are rather small.
Re: Protector Module in XOOPS 2.4.4
by trabis on 2010/7/7 20:53:49

Quote:

What I heard:
= If you can have a true trust path outside root, use whatever GIJoe version of Protector you want, but include the pre-/post-check code in mainfile.
= If you must have xoops_lib and trust path inside the doc root, use the module 3.40x as included with the XOOPS release.


You've heard fine!
Re: Protector Module in XOOPS 2.4.4
by mboyden on 2010/7/7 20:00:31

Thanks for the response trabis!

trabis wrote:Quote:
If you have your xoops_lib in a private folder and you do not mind to hack mainfile, there is no reason to use xoops version of protector.
If I understand, should I decide to use the 3.41 (non-xoops244-ified) versions, then I should use the pre-/post-check code per the instructions (I'd disabled those for the moment while doing some integration and regression testing, so will re-enable them). And I don't mind hacking mainfile. I use the xoRewriteModule, too.

Quote:
GIJoe is very clear on saying that protector is not to be used on public folder. Unfortunatly, not every user have permissions to do so. For those users, the original protector module is not useful since it allows hackers to do directory travessal.
Understood. I'd suggest changing hosting providers since it's easy and cheap to find, but I also understand providing a solution for those who are constrained to using inherently insecure setups.

Quote:
I thought I was clear enough on what was added and why.
I'm obviously a touch dense. Thanks for the clarification.

What I heard:
= If you can have a true trust path outside root, use whatever GIJoe version of Protector you want, but include the pre-/post-check code in mainfile.
= If you must have xoops_lib and trust path inside the doc root, use the module 3.40x as included with the XOOPS release.

Thanks again!
Re: Protector Module in XOOPS 2.4.4
by trabis on 2010/7/7 18:28:01

Quote:

mboyden wrote:
Yeah, I'd done a DIFF of the 3.40 and 3.40x versions and didn't see much that said I needed to use 3.40x over 3.41. Since 3.41 is working fine, I don't see any real reason to use an older and customized version of Protector module (or any others for that matter).

If you have your xoops_lib in a private folder and you do not mind to hack mainfile, there is no reason to use xoops version of protector.

Quote:

I also don't understand why we would want to use a hacked version of a module that is constantly under development. Are we working with GIJoe to make the appropriate changes in the Protector module to work with all versions of XOOPS?

GIJoe is very clear on saying that protector is not to be used on public folder. Unfortunatly, not every user have permissions to do so. For those users, the original protector module is not useful since it allows hackers to do directory travessal.


Quote:

So, again, I'm trying to understand the purpose of the hacks, not the fact that it didn't change anything.

I guess the real question is: What do they ADD or do that is better than 3.40 or 3.41?


I thought I was clear enough on what was added and why.
Re: Protector Module in XOOPS 2.4.4
by mboyden on 2010/7/7 15:51:26

Yeah, I'd done a DIFF of the 3.40 and 3.40x versions and didn't see much that said I needed to use 3.40x over 3.41. Since 3.41 is working fine, I don't see any real reason to use an older and customized version of Protector module (or any others for that matter).

I also don't understand why we would want to use a hacked version of a module that is constantly under development. Are we working with GIJoe to make the appropriate changes in the Protector module to work with all versions of XOOPS?

Because the web is filled with dangerous crocodiles (script kiddiez and worse), we want to be able to keep our sites protected as best as possible and protect against the latest exploits. Since the Protector releases aren't synchronized with the XOOPS releases, it doesn't make sense to leave XOOPS installs vulnerable to the latest exploits requiring users to use hacks and do diffs and such. Also, the latest info I've read is that the preload aspects used in the 2.4.x and 2.5.x series (with an end-of-life in 2.6.x series) may be dropped or changed altogether.

So, again, I'm trying to understand the purpose of the hacks, not the fact that it didn't change anything.

I guess the real question is: What do they ADD or do that is better than 3.40 or 3.41?

Who's Online

147 user(s) are online (127 user(s) are browsing Support Forums)


Members: 0


Guests: 147


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits