xoops forums

Forum Index


Board index » All Posts (GIJOE)




GIJOE

Quite a regular
Posted on: 2005/8/11 19:53
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#1

Re: Site hacked!

Quote:

martyras wrote:
The problem was found with the help of the hosting company. It appeas that was an exploit at templates_c folder. When we deleted the files from within, the message went away. Is there a known patch for that? I haven't followed the forums for a while so I didn't know about any particular exploit.

templates_c ?
Perhaps, it's just a back-door put by the attacker.

Crackers can access your site as administrators quite easily, if you runs XOOPS < 2.0.9.2 without Protector.

To prevent another back-doors, you'd better install XOOPS cleanly after backing up.


GIJOE

Quite a regular
Posted on: 2005/8/10 20:01
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#2

Re: A typo and a request about blockinstance

hi skalpa.

Thanks for your reply.
Quote:
We'll see this as soon as possible. And I like the title idea too, I'll see what can be done (maybe even visibility would be nice if possible).


It's a nice idea to controlling visibility by show_func().

But show_func can hide itself only by returning array() even in 2.0.13 or 2.2.1


Block's show_func

- can refer
---- its `instanceid`
---- its original `title` (eg. "events in %s")

- can change
---- its `title` (eg. "events in 26 Aug 2005")
---- its visibility


GIJOE

Quite a regular
Posted on: 2005/8/10 9:31
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#3

A typo and a request about blockinstance

hi.

It is good idea to divide blockinstance from newblocks.

And it is good idea too, to assign not only `title` and `content` but also `id`(=instanceid),`typeid`(=bid),`weight`.

But typeid(=bid) is never assigned in XOOPS 2.2.1.

This is a typo in end of kernel/blockinstance.php
while ( $myrow $this->db->fetchArray($result) ) {
                
$newblock false;
                if (!isset(
$blocks[$myrow['bid']])) {
                    
$blocks[$myrow['bid']] =& $block_handler->create(false);
                    
$newblock true;
                }
                
$instance =& $this->create(false);
                
$instance_vars array_keys($instance->getVars());
                foreach (
$myrow as $key => $value) {
                    if (
$newblock && !in_array($key$instance_vars)) {
                        
$blocks[$myrow['bid']]->assignVar($key$value);
                    }
                    else {
                        
$instance->assignVar($key$value);
                    }
                }
[
color=ff0000]                $blocks[$myrow['bid']]->assignVar('bid'$myrow['bid']); [/color]
                
$instance->setBlock($blocks[$myrow['bid']]);
                
$ret[] = $instance;
                unset(
$instance);
            }
        }
        return 
$ret;
    }
}

The key -bid- should be registered in both $instance and $blocks[].

And this is the main issue.
Some blocks (eg. minical_ex in piCal) have to know their instanceid. (`bid` in 2.0.x)

In 2.0.x, I used $GLOBALS['block_arr'][$GLOBALS['i']]->getVar('bid') .
But in 2.2, it is useless.

Please implement some way for blocks to know instanceid of themselves.

eg) kernel/blockinstance.php line 109
from:
$block $show_func($options);

to:
$block $show_func($options+array('instanceid'=>$this->getVar('instanceid')));


The block can know its instanceid by $options['instanceid'].

This is MUST feature to modify my modules as fully compatible with XOOPS 2.2.

I'm glad if you also implement some way for show_func to change block's title dynamically.

Regards!


GIJOE

Quite a regular
Posted on: 2005/8/7 2:55
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#4

2 little(?) bugs

- Fields in the table of configcategory is not removed by uninstalling the module.

- line 193 of include/common.php
[d]
        if (
function_exists('session_cache_expire')) {
            
session_cache_expire($xoopsConfig['session_expire']);
        }
[/
d]
[
color=ff0000]
        @
ini_set('session.gc_maxlifetime'$xoopsConfig['session_expire'] * 60);[/color]

This wrong coding is caused by just a misunderstanding.

2.2 has a better architecture than older 2.0.x but I can't say this is a STABLE release yet

Good Job! and Gambare!


GIJOE

Quite a regular
Posted on: 2005/1/6 9:07
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#5

Re: Xoops On Crack?

hi Predator.

At first, I apologize to you about my absence of developping newbb2 whatever I promised.

Quote:

Quote:

GIJOE wrote:
Moreover, I don't like the interfaces of newbb2.
It works quite buggy with IE5.

In which way? Can you give more infos to this statment, so we can fix this.

As I wrote.

with IE5...
- Can't display drop-down of javascript (often success, often fail)
- Often redirect somewhere after 0-30sec viewing
- Some threads can be read at all.(403 error)

Anyway newbb2 uses too many javascript.
How can I change 'older'->'newer' if javascript is disabled?

I believe javascript should be a hobbit instead of shoes workman himself.

Quote:

So would be nice to now where the point are in the newbb 2.0 which shall be insecure so we can fix them. The issues which has Onokazu discribed on dev.xoops.org are added and fixed and comes with the Newbb 2.0.1 which will then the official release, if there are more please send me a hint by PM or email, so it can be fixed.

Perhaps, it's just losing the point.
minahito reported that 2.0.1 patches strange point instead of the point of XSS injection.
I'll tell you if I have vacant time.


GIJOE

Quite a regular
Posted on: 2005/1/6 8:50
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#6

Re: Xoops On Crack?

hi minahito.
It sounds strange I talk to you in English

Quote:

A user who doesn't set up 'XOOPS_PREFIX' at random will be helped by this script. this script changes 'XOOPS_PREFIX'. but, there is risk, because there is no English document.

Don't mind.
Already I've translated it.

see the thread.
XOOPS_DB_PREFIX' clarification

brash made more modified one though I've never tested yet.

I hope it is added into XoopsFAQ.


GIJOE

Quite a regular
Posted on: 2005/1/6 8:42
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#7

Re: Xoops On Crack?

Quote:

Mithrandir wrote:
Ok, thanks - did wonder if a "GTicket" was a term that was universally accepted

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess? I notice that you use it together with __FILE__ - but that is something a clever hacker could find out, isn't it? Or is it simply that it will make it even more annoying to figure out, when combined with the time and the other things going into the encryption?

Where do I use __FILE__ as salt ?
I use __LINE__ instead of __FILE__.
Although __FILE__ of caller is static, __LINE__ of caller is variable by the version of the file. (it makes harder to guess)

The other topics have been already written by nobunobu. (Thanks!)

Quote:

nobunobu wrote:
In GTicket system logic, token is generated with timestamp and PATH Enviroment variable and XOOPS_DB_PREFIX , for other user hard to guess.

GIJOE and we know, many XOOPS users use XOOPS_DB_PREFIX leaving default value "xoops", and
Using default XOOPS_DB_PREFIX is weak, if some module has SQL Injec vulnerability.
So, GIJOE recommends , XOOPS users should use their own XOOPS_DB_PREFIX string.
("Oreteki" installer makes random string for XOOPS_DB_PREFIX default).

This is just what I want to say

I think it is enough to preventing from malious guessing by these combination.
__LINE__ * microtime() * XOOPS_DB_PREFIX * $_SERVER['path']


GIJOE

Quite a regular
Posted on: 2005/1/5 20:35
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#8

Re: Auto login hack + Login using email.

hi sudhaker

I've just found it.
It sounds good and I'll check your hack.

I'm also thinking how to make auto-login much secure.


GIJOE

Quite a regular
Posted on: 2005/1/5 20:21
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#9

Re: Xoops On Crack?

hi Mithrandir.
Quote:
I will work on implementing XoopsGTicket in 2.1 as well.

'G' just means my personal use.

Please name them gerenally for the core.

class XoopsTicket instead of XoopsGTicket
$_SESSION['XOOPS_STUBS'] instead of $_SESSION['XOOPS_G_STUBS']
$_POST['XOOPS_TICKET'] instead of $_POST['XOOPS_G_TICKET']


GIJOE

Quite a regular
Posted on: 2005/1/5 10:29
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#10

Re: Xoops On Crack?

And the second step,
Use ticket system for preventing it from CSRF.

(Protector is fundamentally good-for-nothing against CSRF)

The class of XoopsGTicket will be a good sample for you.

Don't forget adding the ticket into not only posting stage but also previewing stage.



TopTop
(1) 2 3 4 ... 21 »