Support Forums - All Posts - XOOPS Web Application System

41

[solved] Wiwimod and spaw vulnerability?

2007/6/22 17:24
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

I've got a few suspicious referers lately, so I've googled back and found this here:http://www.milw0rm.com/exploits/4084

Now, that seems to be about a fairly old version, and I don't use Spaw and don't seem to have any residual files for it. But since I honestly don't understand what's going on there, I just thought I put it out here and wait for someone to look into it and enlighten me before I bring my wiki up again. Thanks!

Also here:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3289. Might be a duplicate of an old one.

*edit* I definitely got tons of hits on the file in question over the last days. This might be a serious issue for people who have Wiwimod 0.4 and perhaps some other vulnerable versions installed.

*edit again* I even got a sample of the script they wanted to execute. I'm almost tempted to try to exploit myself, to see where that leads to. :S

www.affvu.org

42

Re: [Fixed] command injection of phpmailer ? is this really important?

2007/6/13 23:00
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Double or triple thanks, Vaughn. Around line 590 for XOOPS 2.2.

www.affvu.org

43

Re: command injection of phpmailer ? is this really important?

2007/6/13 21:54
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Just to make sure I'm getting it right:

We should use phpmail or SMTP, BUT NOT sendmail?

I'm about 99% sure that that's the point, but perhaps I'm getting lost in translation here.

www.affvu.org

44

Re: [XoopsTeam] phppp - Core Development - Leader

2007/6/8 16:05
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Well, that's admittedly all very confusing for someone who doesn't know the people and what new rifts and contradictions will be contained in the new constellation, but I'm also EXTREMELY glad phppp is willing to step it up. Thanks a lot for all you've done for us so far.

www.affvu.org

45

Re: Security & Install issue: Protector and Xoopsinfo modules not in Admin

2007/5/25 5:11
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

I guess all your directories (folders) should have 755 as their permissions. If they're 774, then owner and group can read+write+execute, and world can only read. Group does mostly not need to write to them (second digit), but world has to execute (or, in the case of directories, have the ability to dig into them), lest it doesn't get into the folder to execute the scripts that are inside. So, I find it utterly unsurprising that you're having the problem you seem to be having.

755 for folders and 644 for php files are often appropriate permissions. Just to make sure: I'm talking about ALL folders. cache and templates_c might still need 777, although they're fine with 755 at my webhost. Your mainfile.php shouldn't be writable at all (444, or even 400 does it at my host).

www.affvu.org

46

Re: Access denied for user

2007/5/25 4:50
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Are you sure this is about Xoops? I don't have config.php and home.php at the site root. In any case, looks like the database user and/or password aren't correct in config.php, line 2. That's at least what it says.

www.affvu.org

47

Re: Bot protection in registration

2007/5/25 3:57
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Captcha is probably more effective, but if you don't want to have that additional threshold for legit people and still weed out most of the trash, consider also the Netquery Module for Bad Behavior. Good idea anyway to put up some shields against rogue crawlers and bots before they even find where to spam you.

www.affvu.org

48

Re: URGENT Spam Post from unidentified user

2007/5/24 6:06
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

If the system doesn't allow posts from users who are not registered, and a user who is not registered is nevertheless posting, then you might have a serious situation. Like somebody having access to your database. So that's not to be taken lightly. XOOPS Protector helps, of course.

But there're forums in your board where anonymous users can at least reply to posts (like in Preguntas, sugerencias y comentarios)

First step to enhance the security of your site: Don't reveal ANY path (to folders or files, like here to your "trusted" folder) that's specific to your userspace on your webserver here on this board. You may want to edit your post above. Also, perhaps you could delete or mask the spam URL that you quote above. No need to give him an additional link.

www.affvu.org

49

Re: IE7 Style='clear: both;" issue

2007/4/18 4:38
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Is it overlaying, or moving into the same line? Because if it's overlaying (displaying on top of something other, z-index wise), then I would assume it's not an issue with clearing, but with positioning. Something's getting a fixed vertical position in relation to some element, or the viewport. Makes sense?

Can of course also be that a floated container is expanding beyond its containing element. But that's not what IE was famous for. In that case, clear:both underneath the longest container should normally do.

www.affvu.org

50

Re: 2 right columns

2007/4/18 3:46
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

You have to also change it in your theme.html so that the center-right blocks loop is not part of the same vertical container with the center-center (or main column). If you're table based, the center-right loop has to be a different column (not row). If you're doing it with divs, the center-right loop cannot be contained in the same div in which you have your main (or center-center) stuff.

That's on the assumption that you want to recycly the center-right blocks for your second right column.

The site you're referencing uses a table. That seems quite feasible. So you have in your theme.html something like:

<table>
<tr>
<td>left blocks loop</td>
<td>center and center-left block loops and main content</td>
<td>center-right blocks loop</td>
<td>right blocks loop</td>
</tr>
</table>

You can size and arrange it with the css file. If you want to design it tableless, then I wish you the best of luck, and a lot of patience.

Four columns looks like a challenge, at least if you want to have it liquid. Fixed width should be easy.

www.affvu.org

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

[solved] Wiwimod and spaw vulnerability?

Re: [Fixed] command injection of phpmailer ? is this really important?

Re: command injection of phpmailer ? is this really important?

Re: [XoopsTeam] phppp - Core Development - Leader

Re: Security & Install issue: Protector and Xoopsinfo modules not in Admin

Re: Access denied for user

Re: Bot protection in registration

Re: URGENT Spam Post from unidentified user

Re: IE7 Style='clear: both;" issue

Re: 2 right columns

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}