XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk


« 1 2 3 4 (5) 6 7 8 ... 26 »


41
ajaxbr
Re: Session hijacking vulnerability in XOOPS 2.0.7.3

  • 2004/11/27 18:19

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hey chrisis, any feedback on this?
If you're afraid of trying these tricks, I can give you an admin session link so you can login in my site as these hackers wannabe do in yours and we can test it there... PM me and we can set it up
Topic | Forum


42
ajaxbr
Re: Session hijacking vulnerability in XOOPS 2.0.7.3

  • 2004/11/26 0:28

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hi chrisis,
What is the uid affected?

If you know what the bad link is and have phpMyAdmin access to your XOOPS DB, go to the table xoops_session find the offending session that is referenced in your link and remove it.

If you don't know the bad link, I'd suggest 2 things: first, register a new user (don't login yet, just create a new user and finish registration), login as admin and quickly go to your URL/modules/system/admin.php?fct=preferences&op=show&confcat_id=1 and set "use custom session" to true, and even more quickly go to groups and add the new user to the webmasters group, then remove the affected admin user from it. Now, this can be dangerous, so if you can create a backup of your site and try these modifications in a test server, do it first.

Perhaps just deleting all sessions from that table will work too?
Topic | Forum


43
ajaxbr
Re: What do you use to post News?

  • 2004/11/25 22:56

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Great Version Control features! I guess it's module-specific, with a versions table with a set number of fields? Would it be hard to make it rely on a core VC system, storing and calling data into/from a general versions table via serialize/unserialize? Or would it be better that each module has its own implementation of VC, perhaps diff tools, etc.?
Topic | Forum


44
ajaxbr
Re: how can i change the direction of tootip in layersmenu.js ???

  • 2004/11/24 18:28

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hmm, was it working in FF before you changed the .js file (because FF is much better with Right To Left languages, I think)?

Are you testing this in a remote, production server?

Anyway, that value (and the one below) does seem to be an important part of this issue. But I believe both those values will be used to generate adminmenu.php only, so to check if they are working or not you'd have to add or remove a module.

You're welcome, thanks for your efforts to improve XOOPS for RTL languages
Topic | Forum


45
ajaxbr
Re: how can i change the direction of tootip in layersmenu.js ???

  • 2004/11/23 22:33

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Can you post a screenshot of this working?

2nd suggestion: revert that file to its original content, open cp_functions.php and find $abscissa_step = 90;, try changing that value to -90.


Edit: also, take a look at /cache/adminmenu.php (exists in your server after install/first use of admin)
Topic | Forum


46
ajaxbr
Re: how can i change the direction of tootip in layersmenu.js ???

  • 2004/11/23 21:29

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


AFAICS it's sniffing for browsers, then using the correct bit setleft function (DOM, NS or else). So I'd suggest replacing document.layers[layer].left = x; and document.all[layer].style.pixelLeft = x; with document.layers[layer].right = x; and document.all[layer].style.pixelRight = x;

Good luck
Topic | Forum


47
ajaxbr
Re: Version control?

  • 2004/11/23 20:56

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Proposed lame implementation (in ugly pseudocode ):

New core function: xoopsDb->vcsinsert
**Module developers can call it right before each $xoopsDB->query($sql);, uses the same $sql variable that will be used for updating or deleting data.
function vcsinsert() {
     if (ereg("DELETE FROM"$sql)) {    //Is it a DELETE query?

    $sqlvcs_sel str_replace("DELETE""SELECT *"$sql);
    $result $xoopsDB->query($sqlvcs_sel);
    $vcsdatabase64_encode(serialize($result));
    $vcsinsert"INSERT INTO ´xoops_vcs´ (`vcs_id`,`vcs_content`,`vcsdate`) VALUES (´".$vcsid."´, ´".$vcsdata."´, ´somedate´)";
    $xoopsDB->query($vcsinsert);
}
      
      elseif (eregi("UPDATE [:print:]* SET"$sql)) { //Is it an UPDATE query?

      $sv_sel str_replace("SET [:print:]* WHERE"""$sql);
      $sqlvcs_sel str_replace("UPDATE""SELECT * FROM"$sql);
    $result $xoopsDB->query($sqlvcs_sel);
    $vcsdatabase64_encode(serialize($result));
    $vcsinsert"INSERT INTO ´xoops_vcs´ (`vcs_id`,`vcs_content`,`vcsdate`) VALUES (´".$vcsid."´, ´".$vcsdata."´, ´somedate´)";
    $xoopsDB->query($vcsinsert);
      }

     else {echo "The VCS has found an error and borked like totally";}
There. The old data is lamely saved, regardless of table structure, for mod developers to retrieve when needed.

AFAICS i's well implemented in the Version Control Class and something similar could be added to the core without affecting anything that doesn't ask for a backup/old version/undo query. Opinions?
Topic | Forum


48
ajaxbr
Re: favicon.ico: How do you make them damn things?

  • 2004/11/23 13:49

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hi there
There's an online tool for that and a nice mini-how-to. I've used the IrfanView method (referenced in the how-to comments) and it's really easy (if you're running anything Windows)
Topic | Forum


49
ajaxbr
Re: Version control?

  • 2004/11/23 12:03

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hi, ackbarr
IMO it would only make sense at DB level, as a core feature that can be used at will by module developers.

Version control would be used primarily for text content, but could be integrated in $xoopsDB, which is as a common base as it gets. A core class would make it possible, if module developers wish to, to set a given field as VC-able and then everything that make a good VC system would fit in (not that these have to be there): history, check-in/out, diffs, branching, locks, etc.

If it's a good OO solution, it can be used to VC settings, blocks, templates, etc., according to module developers' clever use of the class

As things are today, backups and stand-alone text documents (preferably VC-able, like in OpenOffice and MSOffice) are the only tools for keeping your content safe and to work with drafts/revision/etc. And if a module developer solves this issue, other will have to reinvent the wheel... IMO it's a common base.
Topic | Forum


50
ajaxbr
Version control?

  • 2004/11/23 2:43

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hi all,
I've started this topic to discuss whether Version Control is/should be in XOOPS development roadmap. More specifically, should a Version Control system be integrated into the core?

What kinds of modules/applications would benefit from a good Version Control in XOOPS? Is there any major drawback of using this kind of system (like being harder to really delete bad data)? What benefits* would you expect/demand from this?


*my main expected benefit: if you delete something or perform a really bad edit (be it news, links, whatever), an "undo" would be great. Secondary: when I write a large piece of text then slim it down to focus at a single topic, I lose all the related-but-off-toppic info that was there in my draft
Topic | Forum



TopTop
« 1 2 3 4 (5) 6 7 8 ... 26 »



[Advanced Search]

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

229 user(s) are online (148 user(s) are browsing Support Forums)

Members: 0

Guests: 229

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits