xoops forums

Forum Index


Board index » All Posts (ajaxbr)




ajaxbr

Quite a regular
Posted on: 2005/5/7 5:24
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#1

Re: Xoops overloading my Server

Try removing the Poll block (could be checking against dupe votes?). Also, try turning off Adverts, New Members and Affiliates one at a time.

Wait, is that huge image list at left a module? A menu module? if it is, there you go...

Good luck


ajaxbr

Quite a regular
Posted on: 2005/3/20 0:12
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#2

Re: Graphics Anyone?

Take a look at this mock up, if you like the idea I can try to make it large and good looking


ajaxbr

Quite a regular
Posted on: 2005/2/11 19:55
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#3

Re: PHP Security help needed

Hi Herve,
Thanks for replying
What I`m trying to build is a scanner for bad code, using PHP functions as a start (but can and hopefully will go beyond that). So if you can share what kind of bad code I should look for, I`ll try to put it in As of now, things like "fopen($file)" are flagged, but it's still very far from useful.

Here`s a sample bit of output for a couple ranked functions:

<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_11' /> <ul> <h3> smarty/core/core.write_compiled_resource.php </h3>
<li> <a name='li_21' /> --- --- --- --- --- --- --- ---
:28: <br />
<b> [3] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.require-once.php'>require_once</a>: Includes and evaluates the specified file, once, during the execution
of the script. May disclose physical paths if file is not readable </i>
<pre> require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.write_file.php');
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_12' /> <ul> <h3> smarty/core/core.write_compiled_include.php </h3>
<li> <a name='li_22' /> --- --- --- --- --- --- --- ---
:72: <br />
<b> [3] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.require-once.php'>require_once</a>: Includes and evaluates the specified file, once, during the execution
of the script. May disclose physical paths if file is not readable </i>
<pre> require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.write_file.php');
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_13' /> <ul> <h3> mail/phpmailer/class.phpmailer.php </h3>
<li> <a name='li_23' /> --- --- --- --- --- --- --- ---
:520: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($queue_path . $msg_id . ".pqm") has a '$', fopen may be
exploitable if users can inject$queue_path . $msg_id . ".pqm". Use a
constant or a filename as argument to fopen. May disclose physical paths if
file is not readable </i>
<pre> $fp = @fopen($queue_path . $msg_id . ".pqm", "wb");
</pre>
</li>
<li> <a name='li_24' /> --- --- --- --- --- --- --- ---
:664: <br />
<b> [5] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.include-once.php'>include_once</a>: Included file parameter ($this->PluginDir . "class.smtp.php") has a
'$', may be allow execution of arbitrary code.. Use a constant or a
filename as argument to include_once. May disclose physical paths if file
is not readable </i>
<pre> include_once($this->PluginDir . "class.smtp.php");
</pre>
</li>
<li> <a name='li_25' /> --- --- --- --- --- --- --- ---
:1245: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($path) has a '$', fopen may be exploitable if users can
inject$path. Use a constant or a filename as argument to fopen. May
disclose physical paths if file is not readable </i>
<pre> if(!@$fd = fopen($path, "rb"))
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_14' /> <ul> <h3> snoopy.php </h3>
<li> <a name='li_26' /> --- --- --- --- --- --- --- ---
:983: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.file.php'>file</a>: Parameter ("/tmp/$headerfile") has a '$', file may be exploitable if
users can inject"/tmp/$headerfile". Use a constant or a filename as
argument to file. May disclose physical paths if file is not readable </i>
<pre> $result_headers = file("/tmp/$headerfile");
</pre>
</li>
<li> <a name='li_27' /> --- --- --- --- --- --- --- ---
:1193: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($file_name) has a '$', fopen may be exploitable if users
can inject$file_name. Use a constant or a filename as argument to fopen.
May disclose physical paths if file is not readable </i>
<pre> $fp = fopen($file_name, "r");
</pre>
</li>
</ul><div>

Still a long way to go... but might work
looks good in preview, then borks on submit
When I get home I'll upload it then re-post...


ajaxbr

Quite a regular
Posted on: 2005/2/11 0:10
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#4

Re: Can we use freely xoopy mascotte ?

Quote:

Panos wrote:
My friend, there is no such thing in the real world and that wouldn't stand in any court, in any country. There is no such thing as 'implicitly copyrighting' something.
Actually there's such thing in the real world. Sometimes it's harder to make a given piece of work have no copyrights than to claim implicit copyrights, depending on the country's (and/or area's) laws.
E.g. here, and Quote:
...from GigaLaw® under a Fair Use premise (all copyrights owned by GigaLaw®):
(...)The way in which copyright protection is secured is frequently misunderstood. No publication or registration or other action in the Copyright Office is required to secure copyright. There are, however, certain definite advantages to registration.

Copyright is secured automatically when the work is created, and a work is "created" when it is fixed in a copy or phonorecord for the first time.(...)


ajaxbr

Quite a regular
Posted on: 2005/2/10 2:13
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#5

PHP Security help needed

Hi XOOPSers,
I'm trying to adapt a program that finds flaws in C/C++ code to PHP, so that we could have large scale automated (and somewhat dumb, but still worth IMHO) code security scans. The original app, Flawfinder, has a list of C/C++ functions that may create security issues, then a few functions to check whether the way a given 'flagged' function is used makes it safe or a problem.


I've built a list of functions (>3600, almost all at php.net) with short descriptions and links to the PHP Manual and will start picking the ones I find in PHP security articles, assigning arbitrary risk values and trying to prune false positives for them. My PHP security knowledge is very very small, so if you can contribute (like listing functions you think should be included and why), things could work a lot faster and better

So, in a nuts-hell , I need help to determine which core PHP functions bring security issues, what checks I could do to eliminate false-positives (i.e., safe ways of using flagged functions) and to rank the hits the program finds.

Sample output (for a pretty naive version, numbers between '[' and ']' would be risk rank, and you'll be able to limit scans for hits above rank X using command line options).


ajaxbr

Quite a regular
Posted on: 2005/1/20 0:59
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#6

Access control for pages that aren't part of modules

This is a first attempt at a hack that lets XOOPS admins control whether legacy "bare pages" (e.g. backend.php, userinfo.php) should be accessible or not. Since I'm not a programmer, it could be made useful if a real one steps in and reviews/corrects it.

If you have a test server ready and can do a clean install, download and test this hack from http://www.zoologia.bio.br/barepages.zip

It will not work on an existing XOOPS site because I don't know how to add records to the (prefix)_config table .

It works like
$config_handler =& xoops_gethandler('config');
$xoopsConfigBare =& $config_handler->getConfigsByCat(XOOPS_CONF_BARE);
if (
$xoopsConfigBare['bare_on'] != 1) {
    
redirect_header('index.php',3,_NOPERM);
    exit();
}


And for userinfo.php, the "block anonymous access to userinfo.php" hack is in:
$config_handler =& xoops_gethandler('config');
$xoopsConfigBare =& $config_handler->getConfigsByCat(XOOPS_CONF_BARE);

if (
$xoopsConfigBare['bare_userinfo'] != 1) {
    
redirect_header('index.php',3,_NOPERM);
    exit();
}

if (
$xoopsConfigBare['bare_userinfo_all'] != 1) {
if ( !
$xoopsUser ) {
    
redirect_header('index.php',3,_NOPERM);
    exit();}
}


Feel free to re-write, improve, ignore, laugh at, mock, correct, whatever


ajaxbr

Quite a regular
Posted on: 2005/1/19 19:00
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#7

Re: Where I can get "The XOOPS Developers Bible"?

Hi, I'm actually trying to get a PDF up-to-date core + modules API/code documentation done, but it's been kinda tricky... look at what I've got so far here: http://www.zoo.bio.br/docs/

The oficial documentation site, http://docs.xoops.org , is also a must visit. Good luck


ajaxbr

Quite a regular
Posted on: 2005/1/19 18:19
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#8

Re: Simplified URLs Hack

Thanks, its a very interesting hack and will surely make many of us happy

Regarding
Quote:

sim_suin wrote:
Have you visited Google directory,Amazon.com and Yahoo!?
Why do you think these famous sites convert URLs?
I do not know a correct answer because I am not intersted in SEO, but these sites know the answer.


Quote:
©2005 Google
Help build the largest human-edited directory on the web.
Submit a Site - Open Directory Project - Become an Editor


ajaxbr

Quite a regular
Posted on: 2005/1/15 1:35
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#9

Re: XOOPS PR (or: XOOPS @freshmeat.net and @Secunia.org)


Yeah, this rocks:
Quote:
From: <vresnev@gm...>
XOOPS for Debian
2005-01-14 08:07

Hi

I have finish packing XOOPS for Debian.

You can download it from:
http://www.vmxt.com/debian/

I will appreciate your feedback.

Also, I have a question: You (developers) support XOOPS installed in apache2 ?
Just to know if I can a dependency in the package. I mean, the package
will depend on apache or apache2.

Thanks in advance.

--
"Libertad es aún la idea más radical de todas."
---Nathaniel Branden

Original here. ¡Muchas gracias, Erick!


ajaxbr

Quite a regular
Posted on: 2005/1/14 18:05
ajaxbr
ajaxbr (Show more)
Quite a regular
Posts: 276
Since: 2003/10/25
#10

XOOPS PR (or: XOOPS @freshmeat.net and @Secunia.org)

Hi
I've been thinking about how XOOPS PR could improve and two items seem important to me: we need to update (and improve: dependencies, etc.) our records at freshmeat.net and to set the record straight at Secunia. I could work with Freshmeat.net if nobody else wants to

Edit:
Then, important XOOPS Modules, themes or collections of those could be added to Freshmeat too by their maintainers. And when we use apt-get to install new Debian packages there are lots of PHP CMSes in the list... (cough) (cough)



TopTop
(1) 2 3 4 ... 26 »