Security with Xoops Protector 2.57!? [Module usage questions]

1

Security with Xoops Protector 2.57!?

2007/1/13 10:29
chriswe
Just popping in
Posts: 37
Since: 2007/1/12

Hi,

I just read the comments from the download of XOOPS Protector 2.52 and it seems that there were a lot of problems or bugs. I don't have that much experience and don't want any problems with a module like that. Did anyone have problems with the version 2.57 and would you suggest using it for someone with no experience?

cjfj.net - The Index for Legitimate Work from Home

2

Re: Security with Xoops Protector 2.57!?

2007/1/13 10:40
Anonymous
Posts: 0
Since:

I run it on 2.0.16 without problem. IIRC, there's less faffing about with this version from an installation point of view, i.e. no blocks to install.

I found the instructions slightly confusing with regard to editing mainfile.php but if you search the forums you'll find the definitive answer

3

Re: Security with Xoops Protector 2.57!?

2007/1/13 11:40
carnuke
Home away from home
Posts: 1955
Since: 2003/11/5

chriswe, I can understand you being cautious about installing modules etc. You've made 3 posts here, so I guess you are somewhat inexperienced with xoops. My advice is always, install a local environment of XOOPS using something like WAMP and experiment with a local version of XOOPS first.

Read presentation to find out more about wamp. Put simply wamp provides a basic but complete webserver on your computer that is the same as your host offers. this allows you to run a complete version of XOOPS (or other webserver scripts)

This will get you used to all kinds of operations and procedures, without fear of messing up a production site.

Xoops protector is IMHO an essential module and ideally should be integrated into every installation.

hhttp://houseofstrauss.co.uk Resource for alternative health and holistic lifestyle
search xoops

4

Re: Security with Xoops Protector 2.57!?

2007/1/14 0:24
chriswe
Just popping in
Posts: 37
Since: 2007/1/12

ok, I installed the module... But how do I fix these security risks?

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

cjfj.net - The Index for Legitimate Work from Home

5

Re: Security with Xoops Protector 2.57!?

2007/1/14 5:59
MadFish
Friend of XOOPS
Posts: 1056
Since: 2003/9/27

You can download a (draft) manual for Protector 2.57. Has instructions on how to address the security advisories.

I'm still stuck on one or two things (yellow highlights). Would appreciate it if people could help 'fill in the gaps' so that I can finish it.

hhttps://xoops.org

6

Re: Security with Xoops Protector 2.57!?

2007/1/14 23:04
chriswe
Just popping in
Posts: 37
Since: 2007/1/12

madfish,

the first one which is marked yellow is 'session.use_trans_sid'. I fixed it, it works the same way like 'register_globals' you just have to include "php_flag session.use_trans_sid off" in the .htaccess in the root directory.

cjfj.net - The Index for Legitimate Work from Home

7

Re: Security with Xoops Protector 2.57!?

2007/1/15 1:52
MadFish
Friend of XOOPS
Posts: 1056
Since: 2003/9/27

Many thanks, I'll add it to the doc.

hhttps://xoops.org

Stats
Goal:	$100.00
Due Date:	Aug 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Security with Xoops Protector 2.57!?

Re: Security with Xoops Protector 2.57!?

Re: Security with Xoops Protector 2.57!?

Re: Security with Xoops Protector 2.57!?

Re: Security with Xoops Protector 2.57!?

Re: Security with Xoops Protector 2.57!?

Re: Security with Xoops Protector 2.57!?

Login

Search

Recent Posts

Re: XOOPS 2.5.12 Beta-2 available for Testing

Re: XOOPS 2.5.12 Beta-2 available for Testing

XOOPS 2.5.12 Beta-2 available for Testing

PHP 8.4.0 Alpha 1 released

Overview of the Composer packages in Admin

Re: xoops_getBaseDomain

xoops_getBaseDomain

Re: Test 3

Test 3

Re: Test2

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}