21
GIJOE
Re: Xoops On Crack?
  • 2004/12/31 10:07

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

No, there isn't a Sentinal-like module for XOOPS. There is an Anti-DOS module tho. One of the reasons there isn't a Sentinal module, is that XOOPS has been quite secure (as opposed to PHP Nuke, for which the Sentinal module is written).

As for your other questions, please use the search feature, they have been solved many times before


Herko.

I've just found your article.
And I've been disappointed you as a member of core team.

Obviously, XOOPS is not secure.

Although the critical one is patched in 2.0.9.2, many vulnerablities stay there in core and standard modules.

Moreover, We alert Herko, again and again...

And have you tried "Protector" even once ?
Anyone can find Protector is not just a AntiDoS module at all.

I shall say again, Protector is a MUST module if you don't want to be cracked.



22
GIJOE
Re: Well...that was an annoying adventure
  • 2004/12/31 9:42

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


The easiest way for rescueing is to access the site via some IP but banned.
After this, disable IP ban or eliminate the IP from system admin.

If you can't, edit your database directly via phpMyAdmin etc.

TABLE: *_config
WHERE: conf_name = 'enable_badips'
SET: conf_value = 0


Anyway, AntiDoS-P is alread dead.
After uninstalling it, install Protecter instead.

Protector has rescue mode also.



23
GIJOE
Re: MyAlbum
  • 2004/12/31 9:36

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Which do you use myAlbum or myAlbum-P ?

If it's latter, it's an error of operation.

There is not modules/myalbum/.htaccess but modules/myalbum/.htaccess.dist in myAlbum-P's archive.

Anyway, all you have to do is deleting .htaccess



24
GIJOE
Re: Is TinyD unavilable to anonymous users by default.
  • 2004/12/31 9:02

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Perhaps you did some operation error.

Since TinyD uses myblocksadmin,
you can controll accessing permissions easily.

go to blocks&Groups in TinyD's admin.



25
GIJOE
Re: Protector installation
  • 2004/12/29 9:46

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

Herko Coomans wrote:
Why is using the prefix 'xoops' a vulnerability??

A curious question.

Do you know the pattern of "SQL Injection" ?

Since there are too many modules which has vulnerability of SQL Injection, attacker can easily get hashed password via some weak modules like this:
http://[XOOPS-SITE]/modules/(weak_module)/?op=view&id=1%20UNION%20SELECT...FROM%20xoops_users%20...

If XOOPS_PREFIX is not 'xoops', such attacks are hard to success.

In fact, Protector have caught SQL injection patterns.
eg)
-1 UNION SELECT user_id, username, user_password FROM nuke_users/*

This is a common sense inhttp://www.xoopscube.jp/
ORETEKI XOOPS -the most secure fork- generates XOOPS_PREFIX at random in installing.



26
GIJOE
Re: Protector installation
  • 2004/12/29 5:34

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


It's easy to turn register_globals off if you use a good server.

.htaccess
php_flag  register_globals off


But many severs can't turn allow_url_fopen off via .htaccess.

If you use your own server, edit php.ini and restart httpd.

Changing XOOPS_PREFIX is possble but not so easy after installed.

Next protector might have the feature.

And I say,

"Protector is the MUST module for all XOOPS even the recent 2.0.9"



27
GIJOE
Re: Headline 2.74 show errors !!!!
  • 2004/12/29 5:07

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Don't mind about Notice.

language/*chinese/headlinerenderer.php should be described for displaying news written in Chinse.



28
GIJOE
Re: Error Messages at bottom of Page
  • 2004/12/29 5:03

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Don't mind about it.

All you have to do is uninstalling and removing xoopsheadline.



29
GIJOE
Re: Last login times not updating
  • 2004/12/29 5:01

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


It looks like just a REFERER problem.
Do all of them install Norton?

Try xoops_refcheck() hack.

At least, my auto-login hack does not harm recording last login times.



30
GIJOE
Re: Patches for newbb 1.0 and PHP <= 4.3.9
  • 2004/12/24 21:33

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


The code I've pasted have a typo.

Use this instead of the older.
diff -rc newbb_old/index.php newbb/index.php
*** newbb_old/index.php    Fri Jan 30 08:28:30 2004
--- newbb/index.php    Wed Dec 22 16:16:09 2004
***************
*** 
75,81 ****
              continue;
          }
          
// Read 'lastread' cookie, if exists
!         $topic_lastread = !empty($HTTP_COOKIE_VARS['newbb_topic_lastread']) ? unserialize($HTTP_COOKIE_VARS['newbb_topic_lastread']) : array();
          foreach ( 
$forums as $forum_row ) {
              unset(
$last_post);
              if ( 
$forum_row['cat_id'] == $categories[$i]['cat_id'] ) {
--- 
75,93 ----
              continue;
          }
          
// Read 'lastread' cookie, if exists
!         //$topic_lastread = !empty($HTTP_COOKIE_VARS['newbb_topic_lastread']) ? unserialize($HTTP_COOKIE_VARS['newbb_topic_lastread']) : array();
!         // GIJ start
!         if( empty( $_COOKIE['newbb_topic_lastread'] ) ) $topic_lastread = array();
!         else {
!             
$topic_lastreadtmp explode',' $_COOKIE['newbb_topic_lastread'] ) ;
!             foreach( 
$topic_lastreadtmp as $tmp ) {
!                 
$idmin explode'|' $tmp ) ;
!                 
$id = empty( $idmin[0] ) ? intval$idmin[0] ) ;
!                 
$min = empty( $idmin[1] ) ? intval$idmin[1] ) ;
!                 
$topic_lastread$id ] = $min 60 ;
!             }
!         }
!         
// GIJ end
          
foreach ( $forums as $forum_row ) {
              unset(
$last_post);
              if ( 
$forum_row['cat_id'] == $categories[$i]['cat_id'] ) {
diff -rc newbb_old/post.php newbb/post.php
*** newbb_old/post.php    Fri Jan 30 08:28:30 2004
--- newbb/post.php    Wed Dec 22 16:11:54 2004
***************
*** 
45,50 ****
--- 
45,53 ----
      }
      
$forumdata $xoopsDB->fetchArray($result);
  
+     
// GIJ Patch
+     if( empty( $forumdata['allow_html'] ) ) $HTTP_POST_VARS['nohtml'] = ;

      if ( 
$forumdata['forum_type'] == ) {
      
// To get here, we have a logged-in user. So, check whether that user is allowed to view
      // this private forum.
diff -rc newbb_old/viewforum.php newbb/viewforum.php
*** newbb_old/viewforum.php    Wed Feb  4 00:58:48 2004
--- newbb/viewforum.php    Wed Dec 22 16:12:32 2004
***************
*** 
192,198 ****
  }
  
  
// Read topic 'lastread' times from cookie, if exists
$topic_lastread = !empty($HTTP_COOKIE_VARS['newbb_topic_lastread']) ? unserialize($HTTP_COOKIE_VARS['newbb_topic_lastread']) : array();
  while ( 
$myrow $xoopsDB->fetchArray($result) ) {
  
       if ( empty(
$myrow['last_poster']) ) {
--- 
192,210 ----
  }
  
  
// Read topic 'lastread' times from cookie, if exists
//$topic_lastread = !empty($HTTP_COOKIE_VARS['newbb_topic_lastread']) ? unserialize($HTTP_COOKIE_VARS['newbb_topic_lastread']) : array();
// GIJ start
! if( empty( $_COOKIE['newbb_topic_lastread'] ) ) $topic_lastread = array();
! else {
!     
$topic_lastreadtmp explode',' $_COOKIE['newbb_topic_lastread'] ) ;
!     foreach( 
$topic_lastreadtmp as $tmp ) {
!         
$idmin explode'|' $tmp ) ;
!         
$id = empty( $idmin[0] ) ? intval$idmin[0] ) ;
!         
$min = empty( $idmin[1] ) ? intval$idmin[1] ) ;
!         
$topic_lastread$id ] = $min 60 ;
!     }
! }
// GIJ end
  
while ( $myrow $xoopsDB->fetchArray($result) ) {
  
       if ( empty(
$myrow['last_poster']) ) {
diff -rc newbb_old/viewtopic.php newbb/viewtopic.php
*** newbb_old/viewtopic.php    Thu Feb  5 03:43:44 2004
--- newbb/viewtopic.php    Wed Dec 22 16:15:28 2004
***************
*** 
348,354 ****
  
$xoopsTpl->assign(array('forum_jumpbox' => make_jumpbox($forum), 'lang_forum_index' => sprintf(_MD_FORUMINDEX,$xoopsConfig['sitename']), 'lang_from' => _MD_FROM'lang_joined' => _MD_JOINED'lang_posts' => _MD_POSTS'lang_poster' => _MD_POSTER'lang_thread' => _MD_THREAD'lang_edit' => _EDIT'lang_delete' => _DELETE'lang_reply' => _REPLY'lang_postedon' => _MD_POSTEDON));
  
  
// Read in cookie of 'lastread' times
$topic_lastread = !empty($HTTP_COOKIE_VARS['newbb_topic_lastread']) ? unserialize($HTTP_COOKIE_VARS['newbb_topic_lastread']) : array();
  
// if cookie is not set for this topic, update view count and set cookie
  
if ( empty($topic_lastread[$topic_id]) ) {
      
$sql 'UPDATE '.$xoopsDB->prefix('bb_topics').' SET topic_views = topic_views + 1 WHERE topic_id ='$topic_id;
--- 
348,366 ----
  
$xoopsTpl->assign(array('forum_jumpbox' => make_jumpbox($forum), 'lang_forum_index' => sprintf(_MD_FORUMINDEX,$xoopsConfig['sitename']), 'lang_from' => _MD_FROM'lang_joined' => _MD_JOINED'lang_posts' => _MD_POSTS'lang_poster' => _MD_POSTER'lang_thread' => _MD_THREAD'lang_edit' => _EDIT'lang_delete' => _DELETE'lang_reply' => _REPLY'lang_postedon' => _MD_POSTEDON));
  
  
// Read in cookie of 'lastread' times
//$topic_lastread = !empty($HTTP_COOKIE_VARS['newbb_topic_lastread']) ? unserialize($HTTP_COOKIE_VARS['newbb_topic_lastread']) : array();
// GIJ eliminated unserialize
! if( empty( $_COOKIE['newbb_topic_lastread'] ) ) $topic_lastread = array();
! else {
!     
$topic_lastreadtmp explode',' $_COOKIE['newbb_topic_lastread'] ) ;
!     foreach( 
$topic_lastreadtmp as $tmp ) {
!         
$idmin explode'|' $tmp ) ;
!         
$id = empty( $idmin[0] ) ? intval$idmin[0] ) ;
!         
$min = empty( $idmin[1] ) ? intval$idmin[1] ) ;
!         
$topic_lastread$id ] = $min 60 ;
!     }
! }
// GIJ end
  // if cookie is not set for this topic, update view count and set cookie
  
if ( empty($topic_lastread[$topic_id]) ) {
      
$sql 'UPDATE '.$xoopsDB->prefix('bb_topics').' SET topic_views = topic_views + 1 WHERE topic_id ='$topic_id;
***************
*** 
356,362 ****
  }
  
// Update cookie
  // FIXME: doesn't check if 4kB limit of cookie is exceeded!
$topic_lastread[$topic_id] = time();
setcookie("newbb_topic_lastread"serialize($topic_lastread), time()+365*24*3600$bbCookie['path'], $bbCookie['domain'], $bbCookie['secure']);
  include 
XOOPS_ROOT_PATH.'/footer.php';
  
?>
--- 368,389 ----
  }
  // Update cookie
  // FIXME: doesn't check if 4kB limit of cookie is exceeded!
! // GIJ Patch begin
! //$topic_lastread[$topic_id] = time();
! //setcookie("newbb_topic_lastread", serialize($topic_lastread), time()+365*24*3600, $bbCookie['path'], $bbCookie['domain'], $bbCookie['secure']);
! $topic_lastread[$topic_id] = intval( ceil( time() / 60 ) ) * 60 ;

! arsort($topic_lastread);

! $counter = 250 ;
! $str4cookie = '' ;
! foreach( $topic_lastread as $id => $time ) {
!     $str4cookie .= intval( $id ) . '|' . intval( $time / 60 ) . ',' ;
!     if( -- $counter < 0 ) break ;
! }
! $str4cookie = substr( $str4cookie , 0 , -1 ) ;

! setcookie("newbb_topic_lastread", $str4cookie , time()+365*24*3600, $bbCookie['path'], $bbCookie['domain'], $bbCookie['secure']);
! // GIJ Patch end
  include XOOPS_ROOT_PATH.'/footer.php';
  ?>




TopTop
« 1 2 (3) 4 5 6 ... 21 »



Login

Who's Online

199 user(s) are online (124 user(s) are browsing Support Forums)


Members: 0


Guests: 199


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits