It really depends on how secure you want to make it. For example, creating a completely closed site where user registration must be approved by you would be a good first step.

Removing the ability of anonymous users to do things like post comments is one of the next steps.

There shouldn't be that many 777 directories any more. The main cache one, plus some modules require them (something I would like to see go away). Make sure there is a read-only index.html file in each of those directories that forces users attempting to directory browse back to the page they came from.

A hosting service that runs an apache instance for each hosted site, with it's own user id. Most don't do this, instead all the hosted sites run under one instance of apache that use one user id -- meaning any chmod 777 directory can be written by somebody else's site.

Be careful of add-on modules.

Watch your logs.

Anybody setup tripwire for a XOOPS install? That's one of the things I'm looking at.

Can the XoopsMailer send a e-mail message with an attachment?

Quote:

Isn't easier just to modify the duplicate to use a new table in the database rather than renaming all the fields?

Not that this would be an easy task, but it's got to be simpler than finding every line of code calling out a particular field.

I think you can accomplish this for the news module by editing the xoops_version.php and give some new table names. Then just install the new module.

Hmmm, does module code reference the names in the xoops_version.php or are they hard coded. If hard coded you might be able to slip in some code to modify the XOOPS table prefix and not have to change anything else in the module.

It's your module, I imagine it's ok to do whatever you want

I don't know of a reason not to use them. Can anyone else provide a reason not too?

I wonder if the file got corrupt somehow. Have you tried replacing the file from a clean download of 2.0.3?

Just saw post from yesterday on bugtraq that XOOPS 2.0.5.1 web link module has a xss bug.

Are the XOOPS developers aware of this? Is it a real issue? (I've not tested on my install yet)

Security Focus Bugtraq Archive

That is pretty darn cool. Does it have the ability to download from another site instead of upload via the interface? (although upload is definitly a must too!)

Kevin

p.s. make smaller screenshots that makes screen scroll all over and is half empty....

Just had this idea, but I don't have the programming know how to pull it off (nor the time to figure it out at the moment). Thought I would throw this out to anyone who wants to take it up.

I thought it would be neat to be able to do installs of modules from the internet via the modules interface or a special module. Perhaps some of the simpler XOOPS updates (like 2.0.5 to 2.0.5.1) could be made available this way too.

The way it would work (in my mind): a module developer would register her/his module with a central repository. The repository would be made available via a RSS feed.

The module interface (or module module would use the rss feed to show what modules are available. The admin would pick the module to install and via the info in the rss field, go grab it and put it in the proper place and install it.

If an update became available the admin would be notified the next time the module module was used.

The biggest problem I see is that the files would be installed as the same user that the web server runs as. Not sure if it would be possible to prompt for a username/password and chmod after download (really not sure how to fix this under IIS).

Things I would like to see in the module rss feed:
Module Name
Module Version
Module Developer
Module License
Module Description
Module Sample Page
Module Download

Kevin

I'm working on a small module that requires another module be installed first. Is it possible in the xoops_version file to test if a module (or a table) is already installed and give an error message if it isn't?

delete the files and delete the database (and tables) in MySQL.

If you're done with Apache altogether on your machine, go into System Preferences, Sharing and turn off Personal Web Sharing. That will disable (but not remove) Apache & PHP.

Depending on how you installed MySQL, if it auto-starts you may want to turn that off too.

For complete removal instructions on MySQL, I'd look at their documentation.