32
Multi avatar hack:
https://xoops.org/modules/newbb/viewtopic.php?post_id=73557&topic_id=15945&forum=14
https://xoops.org/modules/newbb/viewtopic.php?post_id=73557&topic_id=15945&forum=14
33
I added a system avatar, it went into the xoops_avatar table. Where do these .sav files go ? I hope its not saved AND put into the db redundantly.
I guess its user-uploaded avatars that go into uploads/avatar..
Amok
I guess its user-uploaded avatars that go into uploads/avatar..
Amok
34
I was afraid of that - a couple of minutes ago I just discovered that option the admin section.. I guess they go into the database since I dont see the file I uploaded from my PC in uploads/avatar..
Thanks JackJ, hopefully this will be remedied in future versions.
Amok
Thanks JackJ, hopefully this will be remedied in future versions.
Amok
35
Hi,
When I choose Edit Profile -> Avatar for some reason the list is empty. I can see avatars in my uploads/avatar directory, and the upload has permissions 777.
What could be the problem ?
Thanks,
Amok
When I choose Edit Profile -> Avatar for some reason the list is empty. I can see avatars in my uploads/avatar directory, and the upload has permissions 777.
What could be the problem ?
Thanks,
Amok
36
Thanks Kevin,
I have no anonymous submission of news, articles, forum posts, downloads, comments or anything else. Im looking at closed user registration but wondering if it will be too offputting for users.
The permissions I have are:
uploads/ - 777
cache/ - 777
templates_c/ - 777
mainfile.php - 644
Are these optimal ? Also in cache/ I have 2 files, adminmenu.php and antidos_access_log both set to 644. Is cache regularly flushed out ? These 2 files dont sound like they should be there. There is no index.html in there either.
I use wf-sections 1.01, the bugfixed version by JackJ into which I have incorporated fixes by Ken Ohwada (xf-sections) also. I've heard that wf-sections has some security vulnerabilities - do you have any knowledge of that ?
In wf-sections I have the following permissions:
wfsection/cache/uploaded/ - 777
wfsection/cache/uploaded/temp/ - 777
wfsection/images/article/ - 766
wfsection/images/category/ - 766
wfsection/html/ - 777
Do you have any suggestions regarding these ?
As regards modules, I use 3 addons
1) Anti-Dos 1.1
1) Random Quote 1.0.1
3) IPB 1.4 (Invision Power Board) by Koudanshi. I know this is unpopular with many because it overwrites some part of XOOPs core from what I understand, but IPB is simply vital to my site. I would love to use newbb but unfortunately it just doesnt yet have anywhere near the functionality my site needs. One problem with the current version of IPB (not just the plugin) is that conf_global.php must be set to writable if you want to update the admin section, then set back when you finish, leaving it open all that time! The next release will address this by storing config data in the db, but this is a bad security hole at the moment.
IPB has 777 set on the uploads/ where there is some attachment sitting.
I appreciate any advice you have regarding these modules. I have other addon modules but they are deactivated/uninstall, I guess I should remove the directories completelely.
Oh finally, regarding hosting, I'm in a shared environment, my host is lunarpages who are pretty security concious but I'm certain they are going to be using a single apache instance...
Sorry for the rambling email. Thanks very much, looking forward to your feedback.
Amok
PS: Maybe someone knowledgable about XOOPS and security (perhaps yourself ?) could setup some dummy XOOPS sites and then invite trusted security folks to try to hack them, as a learning exercise.
I have no anonymous submission of news, articles, forum posts, downloads, comments or anything else. Im looking at closed user registration but wondering if it will be too offputting for users.
The permissions I have are:
uploads/ - 777
cache/ - 777
templates_c/ - 777
mainfile.php - 644
Are these optimal ? Also in cache/ I have 2 files, adminmenu.php and antidos_access_log both set to 644. Is cache regularly flushed out ? These 2 files dont sound like they should be there. There is no index.html in there either.
I use wf-sections 1.01, the bugfixed version by JackJ into which I have incorporated fixes by Ken Ohwada (xf-sections) also. I've heard that wf-sections has some security vulnerabilities - do you have any knowledge of that ?
In wf-sections I have the following permissions:
wfsection/cache/uploaded/ - 777
wfsection/cache/uploaded/temp/ - 777
wfsection/images/article/ - 766
wfsection/images/category/ - 766
wfsection/html/ - 777
Do you have any suggestions regarding these ?
As regards modules, I use 3 addons
1) Anti-Dos 1.1
1) Random Quote 1.0.1
3) IPB 1.4 (Invision Power Board) by Koudanshi. I know this is unpopular with many because it overwrites some part of XOOPs core from what I understand, but IPB is simply vital to my site. I would love to use newbb but unfortunately it just doesnt yet have anywhere near the functionality my site needs. One problem with the current version of IPB (not just the plugin) is that conf_global.php must be set to writable if you want to update the admin section, then set back when you finish, leaving it open all that time! The next release will address this by storing config data in the db, but this is a bad security hole at the moment.
IPB has 777 set on the uploads/ where there is some attachment sitting.
I appreciate any advice you have regarding these modules. I have other addon modules but they are deactivated/uninstall, I guess I should remove the directories completelely.
Oh finally, regarding hosting, I'm in a shared environment, my host is lunarpages who are pretty security concious but I'm certain they are going to be using a single apache instance...
Sorry for the rambling email. Thanks very much, looking forward to your feedback.
Amok
PS: Maybe someone knowledgable about XOOPS and security (perhaps yourself ?) could setup some dummy XOOPS sites and then invite trusted security folks to try to hack them, as a learning exercise.
37
Hi all,
I'm interested in making my XOOPs 2.0.6 install as secure as possible. The reason is that my current site (mostly html, a few perl scripts) is subject to, on average, 20 or so hack attempts a day. None have succeeded thankfully, due to vigilance on the part of my hosting company and myself.
Most of these attempts are lame script exploit type of things, but I'm worried that when I moved my (fairly large) site over to Xoops, there are a whole bunch of new things that could be exploited.
Specifically I'm worried about things like all these 777 CHMOD'ed directories we're required to have.
I would like to request the experienced Xoopsers to share their knowledge of strategies to secure xoops. Some areas I have in mind are:
1. Best practices for directory and file permissions - still confused on what these should be for upload type dirs - some say 777, some 770, some 666 or 655 !
2. MySQL vulnerabilities - eradicating places where SQL can be injected
3. HTML vulnerabilities - submitters sending malicious code
Of course, anything security related is welcome. Incidentally, I'm running on a hosted environment (Linux/Apache) like most people here I imagine.
Thanks much,
Amok
I'm interested in making my XOOPs 2.0.6 install as secure as possible. The reason is that my current site (mostly html, a few perl scripts) is subject to, on average, 20 or so hack attempts a day. None have succeeded thankfully, due to vigilance on the part of my hosting company and myself.
Most of these attempts are lame script exploit type of things, but I'm worried that when I moved my (fairly large) site over to Xoops, there are a whole bunch of new things that could be exploited.
Specifically I'm worried about things like all these 777 CHMOD'ed directories we're required to have.
I would like to request the experienced Xoopsers to share their knowledge of strategies to secure xoops. Some areas I have in mind are:
1. Best practices for directory and file permissions - still confused on what these should be for upload type dirs - some say 777, some 770, some 666 or 655 !
2. MySQL vulnerabilities - eradicating places where SQL can be injected
3. HTML vulnerabilities - submitters sending malicious code
Of course, anything security related is welcome. Incidentally, I'm running on a hosted environment (Linux/Apache) like most people here I imagine.
Thanks much,
Amok
38
Brad,
Found this in the MySQL manual athttp://www.mysql.com/doc/en/Column_types.html
MEDIUMTEXT
A BLOB or TEXT column with a maximum length of 16777215 (2^24 - 1) characters
LONGTEXT
A BLOB or TEXT column with a maximum length of 4294967295 or 4G (2^32 - 1) characters.
Amok
Found this in the MySQL manual athttp://www.mysql.com/doc/en/Column_types.html
MEDIUMTEXT
A BLOB or TEXT column with a maximum length of 16777215 (2^24 - 1) characters
LONGTEXT
A BLOB or TEXT column with a maximum length of 4294967295 or 4G (2^32 - 1) characters.
Amok
39
I've posted a few test articles with images. For some reason when I used the [IMG] tag in the editor I had problems, but when I used html everything was fine. I need to go back and look at that.
40
JackJ,
Agreed, and I think we're seeing this process right here in this thread. It does seem that we have a pretty robust version between all these fixes. Also bd_csmc thanks for your fixes Im going to incorporate those also. And that compare file tool is pretty cool!
I've heard that there were some security issues with wfsection, but I don't know what they are. Anybody know what these security holes are (other than the anonymous users being able to submit I suppose) and whether they've been addressed.
Security is my #1 concern as it is for most ppl I guess.
Thanks,
Amok
Agreed, and I think we're seeing this process right here in this thread. It does seem that we have a pretty robust version between all these fixes. Also bd_csmc thanks for your fixes Im going to incorporate those also. And that compare file tool is pretty cool!
I've heard that there were some security issues with wfsection, but I don't know what they are. Anybody know what these security holes are (other than the anonymous users being able to submit I suppose) and whether they've been addressed.
Security is my #1 concern as it is for most ppl I guess.
Thanks,
Amok
Login
Search
Recent Posts
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | $100.00 |
| Due Date: | May 31 |
| Gross Amount: | $0.00 |
| Net Balance: | $0.00 |
| Left to go: | $100.00 |
 |
|