Php-Stats Multiple Vulnerabilities and Security Issue

Official thread(Google's English translation)

Curerently, as of March 22th, there is no official patch for the issues.

I don't think we are facing exactly the same problem. But, in my case, there was a trouble when an anonymous user try to post a comment: he gets that error message "taking you ... where you were".

This is caused by the empty $_SESSION['XOOPS_TOKEN_SESSION'] as far as I know. (please bear in mind that I'm not a coder. :-p) So I swapped class/xoopssecurity.php with the one for "XoopsCube". (XoopsCube is compatible with XOOPS 2.0.x for the time being.) And I also uploaded "class/token.php" from XoopsCube, added some lines within XoopsSecurity class.

Add the following code somewhere in class/xoopssecurity.php


Please remember the fact that it may create an gaping security hole for I'm not a professional. At very least, it weakens the protection against CRSF. So all the webmasters must turn on referrer when s/he manages his/her web sites.

Anyway, this hack solved MY problem, and my site became more friendly to anonymous visiters. That's all I can say.

You can also check bluemoon's modified Pukiwikimod.

http://www.bluemooninc.biz/~xoops2/modules/pukiwiki/?WhiteBoard

Pukiwikimod is a bit slower than bwiki. But it has more functionality when it comes to user permission. (Though, I personally prefer bwiki. :-p)

Anyway, have a look on its "Post-It plugin" at very least. It's really an astonishing feature!

Well, I recommend you to install Multimenu, anyway. If you want to make your own "main menu" only, multimenu 1.4 jp-edition is sufficient. If you want to make varied menus, solo's multimenu 1.7 is the one.

Quote:Well, I've figured it out.

include/comment_post.php
line 233
include/comment_form.php
line 103


Quote:Sounds promissing. Well, I agree with you that 3 & 4 have the same approach. Maybe I should have listed them up as 3a & 3b...

Referrer-Spaming(or Comment-Spam) is hot thesedays, which is a growing headache for webmasters in many ways:

1. It abuses your web server severely.
2. It's not just annoying to delete the spams everytime you check your web site, but just... GIVE ME A BREAK!!!!

Thanks to the appearance of "Protector", Headache-1 can be dealt with automatically since it can restrict the simultaneous accesses from the same IP.

Headache-2 is not that problematic for the community sites where all the comments are posted by registered users like here. But for the web sites where comments are open to public, it is.

Possible solutions:

1. .htaccess
So called "Referrer Spams" contain banal referrer information to entice webmasters into their crappy web sites. I know that none of them may well click such feeble links, though they seem to think it works, somehow...lol Anyway, we can exploit this poor information.

2. xoops_refcheck()
include/comment_post.php

line232
Given that no registered user commits spammming, it can block "referrer-spams" as long as they hold external referrer infomation. It would also block legitimate comments because many people simply have no idea what the firewall software in their computer does. To avoid this unintended inconvenience, you can disable referrer-check only when the empty referrer is recognised. Please search "Xoops FAQ" for the detailed information about it.

Btw, this function is accessible from all the modules. So this hack can be applied to those modules that use their original commenting system: B-wiki, WordPress, and etc..., too.

3. g_ticket
Maybe, it's not that difiicult to implement GIJOE's ticket system to Xoop's commenting system... But I DON'T KNOW HOW TO do it!!! lol

4. A unique attribute and its correspong value to comment forms.

This technique is widely adopted by many blog softwares to confirm if the comments are sent from your comment form.. But how can I implement this function to Xoops? That's the question. As far as I know, "Comment Callback Function" seems to be the one. But, again, I DON'T KNOW HOW TO assign an extra parameter with the provided xoops-form class... lol

Maybe, instead of assigning it, I can set a certain attribute and its value as an default extra-parameter by hacking core files in class/xoopsform, and insert "if ( A!==B){exit;}" into include/comment_post.php...

IMHO, I want this feature to be available from the admin panel in the future: Webmasters can define their original attribute and its corresponding value for the comment forms in their web site.

@carnuke
Quote:

$modversion['dirname'] = "auth";

by changing the value of the variable above, you can have multiple instance with ease.

i.e.
modules/auth (default)
modules/auth2 (when "$modversion['dirname']" is "auth2";)

$auth_dir = "sample";

You can see "sample" directory in "auth" directory, right? This is where you put your contents by default.

If it doesn't work try the following values:

$auth_dir = "modules/auth/sample"; (default)
or
$auth_dir = "physical_path/modules/auth/sample"; (default)

What you have downloaded is an add-on to make your html contents searchable as Bender says. Don't forget to change the name of search function in "include/search.inc.php" when you use multiple instance. Or it causes conflicts

As regards its authentication, I have no idea since I don't use this module.

Quote:GIJOE is the most active supporter in Japan. Moreover, he couldn't be more active in his personal support site as you can see.

Quote:I quite agree with you. As Mithrandir stated on the news, XOOPS seems to be looking for the developers for the current version. At the same time, Japanese developers seem to be serious about leaving XOOPS and making their own one.

So why don't you make the best of Japanese developers' enthusiasm? For instance, you can let the Japanese team alter the current 2.0.x series. And the others focus on the 2.1 series.

Of course, there should be a consensus for the development so as not to make a difference between the current and the future one in their features.

This may delay the release of 2.1, eventually. But even Onokazu thinks there should be another release with a few, but not too radical, changes in the feature before 2.1 arrives.

In the end, all the Xoopsers can have more secure Xoops, Japanese team doesn't need to worry about the language, and English team can focus on the future version.

Surely, I'm not ignoring the other local communities. But Japanese developers are just HEATED in many ways.

This is "ORETEKI Xoops":
http://marijuana.ddo.jp/xoops/modules/mydownloads/
http://marijuana.ddo.jp/xoops/modules/mydownloads/visit.php?cid=1&lid=20&type=0

Some modules have already exceeded the standards of the core, I think. So it's high time we thought how to adopt these advanced features to the core, isn't it?

If you use Firefox, go to this thread:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=22116&forum=7&post_id=96676#forumpost96676

If you are Opera user, you can make the most of its flexibility!

Paste the following lines on your "menu.ini":


default WikiSyntax is configured for Pukiwiki. So if you use wakka, phpwiki, or wiwi, you can change the certain values to meet your need.

By the way, isn't there a way to disable BBcode in code without replacing "[" & "]" with "#???" ?

Well...Thx for forcing me to wait for 30 seconds... I'm not a spammer...I just forgot turning on Referrer... lol

Multi-menuJP1.14
http://malaika.s31.xrea.com/modules/mydownloads/

****Link Styles****
1.Full-path link (Always shown)
Quote:
2.Assigning by modules names (Always shown)
Quote:

****Special Syntax for Sub-menu****
1. Static menu (Sub-menu is always shown)
Quote:

2. Dynamic Menu (Sub-menu is shown like Xoops' menu)
Quote:

==Examples==
A. @[news] , Title=News2
-When the module isn't chosen:
"News2"
-When the module is chosen:
"News"
"Submit News"
"Archive"

B. @[news]details.php?storyid=1 , Title=News2

-When the module isn't chosen:
"News2" (linking to News Item1)
-When the module is chosen:
"News2" (linking to News Item1)
"Submit News"
"Archive"

**You can make an arbitary selection for its title
================

I think it would work on English environment, too.(mb_string isn't required) It may be not the one for you since it doesn't allow you to define your original sub-menu.