Support Forums - All Posts - XOOPS Web Application System

1

Re: Site hacked!

2005/8/11 19:53
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

martyras wrote:
The problem was found with the help of the hosting company. It appeas that was an exploit at templates_c folder. When we deleted the files from within, the message went away. Is there a known patch for that? I haven't followed the forums for a while so I didn't know about any particular exploit.

templates_c ?
Perhaps, it's just a back-door put by the attacker.

Crackers can access your site as administrators quite easily, if you runs XOOPS < 2.0.9.2 without Protector.

To prevent another back-doors, you'd better install XOOPS cleanly after backing up.

2

Re: A typo and a request about blockinstance

2005/8/10 20:01
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi skalpa.

Thanks for your reply.
Quote:

We'll see this as soon as possible. And I like the title idea too, I'll see what can be done (maybe even visibility would be nice if possible).

It's a nice idea to controlling visibility by show_func().

But show_func can hide itself only by returning array() even in 2.0.13 or 2.2.1

Block's show_func

- can refer
---- its `instanceid`
---- its original `title` (eg. "events in %s")

- can change
---- its `title` (eg. "events in 26 Aug 2005")
---- its visibility

3

A typo and a request about blockinstance

2005/8/10 9:31
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi.

It is good idea to divide blockinstance from newblocks.

And it is good idea too, to assign not only `title` and `content` but also `id`(=instanceid),`typeid`(=bid),`weight`.

But typeid(=bid) is never assigned in XOOPS 2.2.1.

This is a typo in end of kernel/blockinstance.php


while ( $myrow = $this->db->fetchArray($result) ) {

                $newblock = false;

                if (!isset($blocks[$myrow['bid']])) {

                    $blocks[$myrow['bid']] =& $block_handler->create(false);

                    $newblock = true;

                }

                $instance =& $this->create(false);

                $instance_vars = array_keys($instance->getVars());

                foreach ($myrow as $key => $value) {

                    if ($newblock && !in_array($key, $instance_vars)) {

                        $blocks[$myrow['bid']]->assignVar($key, $value);

                    }

                    else {

                        $instance->assignVar($key, $value);

                    }

                }

[color=ff0000]                $blocks[$myrow['bid']]->assignVar('bid', $myrow['bid']); [/color]

                $instance->setBlock($blocks[$myrow['bid']]);

                $ret[] = $instance;

                unset($instance);

            }

        }

        return $ret;

    }

}

The key -bid- should be registered in both $instance and $blocks[].

And this is the main issue.
Some blocks (eg. minical_ex in piCal) have to know their instanceid. (`bid` in 2.0.x)

In 2.0.x, I used $GLOBALS['block_arr'][$GLOBALS['i']]->getVar('bid') .
But in 2.2, it is useless.

Please implement some way for blocks to know instanceid of themselves.

eg) kernel/blockinstance.php line 109
from:


$block = $show_func($options);

to:


$block = $show_func($options+array('instanceid'=>$this->getVar('instanceid')));

The block can know its instanceid by $options['instanceid'].

This is MUST feature to modify my modules as fully compatible with XOOPS 2.2.

I'm glad if you also implement some way for show_func to change block's title dynamically.

Regards!

4

2 little(?) bugs

2005/8/7 2:55
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

- Fields in the table of configcategory is not removed by uninstalling the module.

- line 193 of include/common.php


[d]

        if (function_exists('session_cache_expire')) {

            session_cache_expire($xoopsConfig['session_expire']);

        }

[/d]

[color=ff0000]

        @ini_set('session.gc_maxlifetime', $xoopsConfig['session_expire'] * 60);[/color]

This wrong coding is caused by just a misunderstanding.

2.2 has a better architecture than older 2.0.x but I can't say this is a STABLE release yet

Good Job! and Gambare!

5

Re: Xoops On Crack?

2005/1/6 9:07
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi Predator.

At first, I apologize to you about my absence of developping newbb2 whatever I promised.

Quote:

Quote:

GIJOE wrote:
Moreover, I don't like the interfaces of newbb2.
It works quite buggy with IE5.

In which way? Can you give more infos to this statment, so we can fix this.

As I wrote.

with IE5...
- Can't display drop-down of javascript (often success, often fail)
- Often redirect somewhere after 0-30sec viewing
- Some threads can be read at all.(403 error)

Anyway newbb2 uses too many javascript.
How can I change 'older'->'newer' if javascript is disabled?

I believe javascript should be a hobbit instead of shoes workman himself.

Quote:

So would be nice to now where the point are in the newbb 2.0 which shall be insecure so we can fix them. The issues which has Onokazu discribed on dev.xoops.org are added and fixed and comes with the Newbb 2.0.1 which will then the official release, if there are more please send me a hint by PM or email, so it can be fixed.

Perhaps, it's just losing the point.
minahito reported that 2.0.1 patches strange point instead of the point of XSS injection.
I'll tell you if I have vacant time.

6

Re: Xoops On Crack?

2005/1/6 8:50
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi minahito.
It sounds strange I talk to you in English

Quote:

A user who doesn't set up 'XOOPS_PREFIX' at random will be helped by this script. this script changes 'XOOPS_PREFIX'. but, there is risk, because there is no English document.

Don't mind.
Already I've translated it.

see the thread.
XOOPS_DB_PREFIX' clarification

brash made more modified one though I've never tested yet.

I hope it is added into XoopsFAQ.

7

Re: Xoops On Crack?

2005/1/6 8:42
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

Mithrandir wrote:
Ok, thanks - did wonder if a "GTicket" was a term that was universally accepted

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess? I notice that you use it together with __FILE__ - but that is something a clever hacker could find out, isn't it? Or is it simply that it will make it even more annoying to figure out, when combined with the time and the other things going into the encryption?

Where do I use __FILE__ as salt ?
I use __LINE__ instead of __FILE__.
Although __FILE__ of caller is static, __LINE__ of caller is variable by the version of the file. (it makes harder to guess)

The other topics have been already written by nobunobu. (Thanks!)

Quote:

nobunobu wrote:
In GTicket system logic, token is generated with timestamp and PATH Enviroment variable and XOOPS_DB_PREFIX , for other user hard to guess.

GIJOE and we know, many XOOPS users use XOOPS_DB_PREFIX leaving default value "xoops", and
Using default XOOPS_DB_PREFIX is weak, if some module has SQL Injec vulnerability.
So, GIJOE recommends , XOOPS users should use their own XOOPS_DB_PREFIX string.
("Oreteki" installer makes random string for XOOPS_DB_PREFIX default).

This is just what I want to say

I think it is enough to preventing from malious guessing by these combination.
__LINE__ * microtime() * XOOPS_DB_PREFIX * $_SERVER['path']

8

Re: Auto login hack + Login using email.

2005/1/5 20:35
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi sudhaker

I've just found it.
It sounds good and I'll check your hack.

I'm also thinking how to make auto-login much secure.

9

Re: Xoops On Crack?

2005/1/5 20:21
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi Mithrandir.
Quote:

I will work on implementing XoopsGTicket in 2.1 as well.

'G' just means my personal use.

Please name them gerenally for the core.

class XoopsTicket instead of XoopsGTicket
$_SESSION['XOOPS_STUBS'] instead of $_SESSION['XOOPS_G_STUBS']
$_POST['XOOPS_TICKET'] instead of $_POST['XOOPS_G_TICKET']

10

Re: Xoops On Crack?

2005/1/5 10:29
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

And the second step,
Use ticket system for preventing it from CSRF.

(Protector is fundamentally good-for-nothing against CSRF)

The class of XoopsGTicket will be a good sample for you.

Don't forget adding the ticket into not only posting stage but also previewing stage.

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: Site hacked!

Re: A typo and a request about blockinstance

A typo and a request about blockinstance

2 little(?) bugs

Re: Xoops On Crack?

Re: Xoops On Crack?

Re: Xoops On Crack?

Re: Auto login hack + Login using email.

Re: Xoops On Crack?

Re: Xoops On Crack?

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}