My provider is in the process of trying to migrate everyone to new (supposedly more secure) servers. We use shared hosting, and something else is not an option due to cost considerations for the non-profit organizations involved. There have been several severe impacts of this migration on my XOOPS installations. I have a workaround for one of the problems, but I still have two others that need resolution and I'd like other opinions please. I'll need to look for another provider if I can't find some satisfactory workaround.

Problem #1 (with workaround) -
The provider uses symlinks (or possibly mounts) to manage the physical path for the site's files.

This keeps debug_backtrace() from giving the same path as the path installed in XOOPS_ROOT_PATH. When mainfile.php has this checking turned on (which it is by default) the failed compare results in the message :
"XOOPS path check: Script is not inside XOOPS_ROOT_PATH and cannot run."

I've written the following workaround in mainfile.php to get the site minimally running, but since safe_mode is removed for PHP 6, I'm wondering if this attempt at protection is really too ineffective to bother using at all. What is the real value of this check, and is there any other way to do it?


Problem #2 (annoying, but not a show-stopper) -
Xoops creates file names for /cache and /templates_c that FTP clients such as FireZilla and WS-FTPPro are unable to delete from the new server.

Level 2 support at my provider tells me that the legacy platform uses a GRSEC infrastructure whereas the new platform uses LDAP, and that the file names contain characters that are illegal on the new servers. I know what LDAP is, but I'm not a UNIX geek and I can't understand why this would cause the FTP client to get a "550-Forbidden command argument" when trying to delete the file. The provider's web-based File Manager, logged in using the same FTP id/pwd, can successfully delete the files, but it is extremely difficult and time consuming to use.

Can anyone shed some light on what is happening here?

Problem #3 (a potential show-stopper) -
For security reasons, the provider will no longer permit any directories outside of the public_html tree to execute scripts.

This impacts the Protector module, and I'm wondering if there is any point in installing this module if the XOOPS_TRUST_PATH must be inside public_html. Doesn't that defeat one of its primary purposes?

Thanks for any comments or insights you may have.

Thanks, especially to Will_H, for the doc pointers. It turns out that the only issue was the one I mentioned, and due to the fact that I used XoopsPartners as a base for my own site-links module.

On to the next porting problem ...

No, I don't intend to ask to have it turned back on, even if I could. And no, I don't expect a list of all the modules that once were vulnerable.

I'm glad the XOOPS CORE is not a problem, and I am therefore concentrating on the modules. The list of vulnerable php functions is helpful in that search. Any other such functions someone cares to enumerate would be welcome.

Thank you.

Yes, it's *obvious* this is a good thing in terms of hacker protection. However, there are certainly issues with PHP code that will not work, or works differently, with allow_url_fopen truned off. And I'm certainly not golden here.

Here's one thing I've found already, and I'm sure more will follow as I test every single piece of every single page, both user and admin functionality.

The PHP function getimagesize() will not accept a URL, even one that is within my own site. This affects (at least my version of) XoopsPartners 1.1.

Perhaps all the various calls to fopen() in the system are benign, but I will have to check them also.

My hosting service has turned off allow_url_fopen for all shared host sites (which mine are). I've searched the XOOPS code base for usage of fopen() and although Protector prefers allow_url_fopen OFF, there seems to be a lot of fopen() usage throughout the system.

I'm currently using XOOPS 2.0.16, mostly with my own modules. Can anyone please comment on what in the base system I can now expect to stop functioning?

Thanks very much for your instructions. I managed to get XoopsEditor installed and working in my own content module (that used to use native FCKEditor installed inside the module admin). I simply changed the creation of the editor widget to

I can't see where $fckeditor_root is used, but I left it in anyway.

I've been looking at formfckeditor.php and editor_registry.php which XoopsEditor installed and trying to figure out how to set up the per-module configuration stuff which I will also need. Can you please explain how this is all hooked up in a non-Frameworks system. I really don't need the stuff in Frameworks, and would rather not have the footprint just to do wysiwyg editing in some admin pages.
- Is the installation of XoopsEditor sufficient to hook up this registry thing?
- What should my module do, if anything, to hook it up?
- What (other than the above) should my admin file have to activate this appropriately?
I'd also like to remove all the other wysiwyg editors from the installation if that is possible.

BTW- In exchange, I'd be glad to provide the Xoops-enabled newest FCKeditor version (2.4.3) for inclusion in the XoopsEditor package.

Thanks for the help.

These fixes address the following error :
Quote:
which is the result of incorrect select options coded in [xoops]/modules/system/xoops_version.php

I haven't had "security token" problems with XOOPS 2.2.4, but then I'm not yet running it on my live sites, and I mostly use custom modules so I don't have lots of experience with the common portal-site modules.

The fixes in this post are the permanent fixes.

However, they will only take effect if you make the changes to the file before you install your XOOPS system. Once you have a running system, you can only get the changes to take effect by making changes to the database.

It's possible to remove all the traces of the umode field and its options from the several database tables, and then update the system module to pick up the changes from the new xoops_version.php file. However, the easiest thing to do here is to directly update the options array in the database as svaha describes.

If you want to make similar changes for the meta_rating options it's probably easier to delete the traces and then update the system module. The places to delete are:

table: xoops_config
row: conf_name = 'meta_rating'

table: xoops_configoption
rows: all rows with '_MD_AM_METAxxxxx' in either confop_name or confop_value

To delete a single row in phpMyAdmin, simply press the red X in the row. To delete multiple rows, check the box next to the row and then click the red X at the bottom of the form (Delete all checked rows).

After the rows are deleted, update the System module and you should see the following somewhere in the update log that displays :

Quote:

Hope this clears things up.

To fix these problems on a running system, you will probably need to manually update the database values, or at least remove the relevant rows from the database so updating the system module can install your changes from the updated xoops_version.php file. If the options are already in the database, updating the system module does not change them.

See this thread for database changes to the "umode" values.

Aargh! Sorry, it _is_ Monday, and I've been at this all weekend. The file is, in fact, xoops_version.php and the line numbers are 199 and 687
I can't even manage to copy my own notes!

Submitted to Patch Tracker.