Support Forums - All Posts - XOOPS Web Application System

101

Re: Gallery link oddness

2004/4/24 8:50
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi Jim_H.
Quote:

I've installed XOOPS 2.0.6 with the IPB forum. Everything seems to work well except I have a link at the top of the page to "Gallery". When I click the link, I get a not found page saying the URL to "myalbum" was not found.

Any ideas what this is or how to edit the link would be appreciated.

Perhaps, It is theme's issue.
You can edit your theme and remove the link by yourself.

Or, it is possibly nice idea installing myAlbum-P.

102

Re: MyAlbum 2.65

2004/4/24 8:41
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi Brassman.

You should edit "Global Permissions" in myAlbum-P's admin to allow Guests can post.

And the module's name is not myalbum but myAlbum-P.
thanks.

103

Re: Unable to install myalbum. Error(s): Unable to write to main menu.

2004/2/16 20:43
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi verbl.

There are some reasons why do the error message show.

1) setting errors of directory permission.
The permissions of cache/ template_c/ uploads/ must be setted as writable.

2) Referer removed
Some security softwares (eg. Norton Internet Security) disable referer of browser.
They prevents your XOOPS from installing modules.

104

Re: Security fix of Agenda-X - No Panic needed - Just apply fix

2004/2/16 20:22
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi arianet.

I'm happy my warning was useful for you.

For a security for all of XOOPSers, I will perform the villain with pleasure.

105

Re: Security fix of Agenda-X - No Panic needed - Just apply fix

2004/2/15 20:50
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

sum wrote:
I want to say,
- Do not say that someone is bad.
(Excluding the crackers)
- Let's discuss the problem in the entire XOOPS community.
(I think that the bug tracking and advisory of security are insufficient.)
- A lot of sites where the hole remains still exist.
(Shut your hole early by fix! )

I agree with you entirely.

And this wiki is a very useful information made by minahito who is one of the most respectable programmer.
I'm happy if someone translate the article into English and write it into Wakka of wiki.xoops.org

106

Re: EMERGENCY: security hole of Agenda-X

2004/2/15 5:49
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

If you believe in you are capable of fixing the security hole, confident that wjue is unable to fix it, why don't you help wjue make the secure Agenda-X....

Of course, I can repair the hole.
But the correct patch had already released by onokazu, and he kindly send it to wjue by email, as you know.
I believe that you can imagine the meaning and the importance that Onokazu makes a patch for only a third party module.

To unbelievable, wjue ignores the onokazu's patch.

What could I do ?
What can I do ?

And you know that the patch reveals the holes for crackers.
If I had showed the patch here at first, many sites was cracked.

I am never disappointed with Olorin, because I believe you can understand what I mean.
Thanks.

107

Re: EMERGENCY: security hole of Agenda-X

2004/2/15 5:26
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi Olorin.
Quote:

And it was quite natural of us to think GIJOE concealed the onokazu's post which solves this problem on purpose. I know you must have known the information on xoops.jp for the temporary fix when you started this thread....

I concealed ? Why ?
Do you know the article of news can't be quoted?
And I believe that you know XOOPS meeting held in yesterday, and you must see the articles I'm very busy by the event of my daughter's kindergarten.
I did my best about it.
As I wrote it, I believe that removing the files is the only way to protect all of XOOPS sites.
Can you imagine the cost to translate the news articles ?
([ code ] tags can't be usable for my auto-translator.)
Since you've translated the article, you know it is too expensive for me.

The top priority for me is my family, and follows all of XOOPSers.

Quote:

Well, what I want to say is that many people still use agenda-x, and they don't want to lose the data. However you suggested that they should remove agenda-x and use other alternatives, which results in abandoning the past data.

Do you read my articles carefully ?
I wrote "DEACTIVATE and REMOVE". I never wrote "UNINSTALL".
Do you think the data of Agenda-X will be lost?

108

Re: EMERGENCY: security hole of Agenda-X

2004/2/15 4:45
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi Mithrandir.

I'm sorry to have unpleasant time for my articles.
But as I wrote in subject, it is an emergency security hole.
Thus I have no time to select gentle words.
(And because of my poor skills for English.

)

Removing all files of the module is only way to protect all of XOOPS site.
(Though .htaccess is a good manner, all of XOOPS site is not usable this)

If register_globals on, GPCS are registered as globals.
Although wjue had been reported its vulnerablity from well skilled programmers like onokazu, he patched only G and says "sufficiently safe".

I feel that it is irreverent unworthy of a modules developper.

Quote:

I write modules, but I have NO idea, whether it is a secure one or if there are similar problems with them. Therefore, I would be very happy to get some more guidelines as to how to avoid opening security holes.

Of course, this is the most important thing.

----------------------------------------
the first operator of these functions:
include(), include_once(), require(), require_once()
should not be started by variables.
----------------------------------------

Though it differs accurately, pardon it by such an explanation please.
(I have little free time and little skill to explain the vulnerablity plainly by English.)

109

Re: EMERGENCY: security hole of Agenda-X

2004/2/15 4:20
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi wjue.

If you have free time to write such a meaningless article,
you should release 1.2.3 that is patched by Onokazu immediately.

Though I never refer your human nature like you,
you have to express gratitude to Japanese XOOPS team - Onokazu & SUM -.
(your thanks of me are unnessary.

)

The most important skill for module developpers is not that he never makes holes,
but that he repairs the holes immediately when it is reported by another well skilled programmer.

110

Re: EMERGENCY: security hole of Agenda-X

2004/2/14 21:32
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

wjue wrote:
I agree, scarring people in this manner is not a professional practice.

The security problem mentionned here occur only if your PHP have register_global set to ON and "remote include" also set to on, "remote include" often causing security risk is well known. The latest version (1.2.2) I released is sufficiently safe. Users of 1.2.1 version can also adopte Onokazu's simple patch.

Amazed!
Do you think 1.2.2 is sufficiently safe under register_globals ON ?

If so, I have to say again "STOP USING WJUE's WORK".

You should read onokazu's kind patch again and again, and think where 1.2.2's hole.

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: Gallery link oddness

Re: MyAlbum 2.65

Re: Unable to install myalbum. Error(s): Unable to write to main menu.

Re: Security fix of Agenda-X - No Panic needed - Just apply fix

Re: Security fix of Agenda-X - No Panic needed - Just apply fix

Re: EMERGENCY: security hole of Agenda-X

Re: EMERGENCY: security hole of Agenda-X

Re: EMERGENCY: security hole of Agenda-X

Re: EMERGENCY: security hole of Agenda-X

Re: EMERGENCY: security hole of Agenda-X

Login

Search

Recent Posts

AdminLTE

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}