xoops forums

Forum Index


Board index » All Posts (nobunobu)




nobunobu

Just popping in
Posted on: 2005/5/8 3:20
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#1

Re: Google Web Accelerator: is it an issue with Xoops?

Quote:

"GWA accesses all pages for prefetch.."

Is it true?
I understood that GWA accesses pages that has only following style link for prefetch.
link rel="prefetch" href="http://url/to/get/"

Please refer [
What Webmasters Need To Know About Google Web Accelerator
]

If GWA accesses all pages for prefetch, it is very ill for some web application that allows deleting contents with GET operation directly.


nobunobu

Just popping in
Posted on: 2005/5/6 7:26
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#2

Re: onokazu, where are you?

Hi Hero!
Quote:

Herko Coomans wrote:
Onokazu has been focussing on the japanese community for over a year now, so his absence is not new, completely his own choice and not forced by anyone.

Do you really think so?
I cannot think so as far as I read following post and thread in SourceForge.net .
[RE: CSRF: secure sites shouldn't need tokens on 2005-03-08 19:41]
It was too emotional attack to onokazu, I think.

Quote:
Onokazu and the japanese developers are considering focussing on a japanese version of XOOPS

It is also misunderstanding about Japanese developers.
I agree that a formal announcement from Japan about fork is needed.
But, I know they don't make focus only for Japanese language.
Please wait for a while to hear an announcement from Onokazu or Japanese team.


nobunobu

Just popping in
Posted on: 2005/3/8 7:18
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#3

Re: WordPress Module Permissions

Hi all!
I'm sorry, could not answer for a long time, because of my server trouble.

I prepare cumulative patches for WordPress 0.3.3 today.
With these patches, the problem this you wrote will be fixed.
Please Go to following page.

[Word Press Patch](This page is still written in Japanese)

and download wp0.3.3-patch050308.zip

or use following link.

[Direct Download]

If you can't solve, please notify me.

In my first writing, URL of Link were wrong.
If you fail to find patch, please retry.


nobunobu

Just popping in
Posted on: 2005/1/14 3:49
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#4

Re: Blog Theme

Quote:
Although I believe there's a seperate CSS file for the Wordpress module. You'll have to search through the module for it. Try removing any border references from it.

StyleSheet CSS file of WordPress Calendar Block is place at /modules/wordpress/themes/default/wp-blocks.css.php
Please create your XOOPS theme name directory under
/modules/wordpress/themes/ and copy wp-blocks.css.php into this folder.

Style definition that begin with '#wp-calendar' are style about calendar.


nobunobu

Just popping in
Posted on: 2005/1/14 3:38
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#5

Re: Wordpress ME .33 and .htaccess

Hi tntrimmer
Quote:

tntrimmer wrote:

Question: does that .htaccess file go into the Wordpress module folder, or into the root folder?

Please place .htaccess file into the WordPress module folder.


nobunobu

Just popping in
Posted on: 2005/1/10 4:04
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#6

Re: Need a working blog module

Hi disky
Quote:

I tried Wordpress, which looks nice, except the blog is displayed on every page, not only toppage as i have selected.

Any ideas why ?

Didn't you make enable "Content Block" at the Wordpress Module page?
"Content Block" is a block for display blog content in other XOOPS Module Screen, mainly it may be used at XOOPS homepage.


nobunobu

Just popping in
Posted on: 2005/1/6 9:24
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#7

Re: Xoops On Crack?

Hi GIJOE
Quote:

GIJOE wrote:
Where do I use __FILE__ as salt ?
I use __LINE__ instead of __FILE__.
Although __FILE__ of caller is static, __LINE__ of caller is variable by the version of the file. (it makes harder to guess)

Oooooo..oops , I couldn't notice the word "__FILE__" in Mithrandir's post.
I firmly believed this word was "__LINE__".
Maybe, Mithrandir also made TYPO in his post.
Quote:

hi minahito.
It sounds strange I talk to you in English

Me too!!


nobunobu

Just popping in
Posted on: 2005/1/5 23:27
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#8

Re: Xoops On Crack?

Hi Mithrandir.
Quote:

Mithrandir wrote:
Ok, thanks - did wonder if a "GTicket" was a term that was universally accepted

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess? I notice that you use it together with __FILE__ - but that is something a clever hacker could find out, isn't it? Or is it simply that it will make it even more annoying to figure out, when combined with the time and the other things going into the encryption?


In strict meaning, "salt" parameter in GTicket is not a "salt" for random seed.
GTicket salt may only be used for identifing each ticket tocken.
So he uses it together with __FILE__ for getting uniq identifier easyly.

In GTicket system logic, token is generated with timestamp and PATH Enviroment variable and XOOPS_DB_PREFIX , for other user hard to guess.

GIJOE and we know, many XOOPS users use XOOPS_DB_PREFIX leaving default value "xoops", and
Using default XOOPS_DB_PREFIX is weak, if some module has SQL Injec vulnerability.
So, GIJOE recommends , XOOPS users should use their own XOOPS_DB_PREFIX string.
("Oreteki" installer makes random string for XOOPS_DB_PREFIX default).

Another ticket system made by Minahito, use following thing as salt for randam seed.
md5(XOOPS_ROOT_PATH.XOOPS_DB_NAME.XOOPS_DB_USER.XOOPS_DB_PASS)

I think, it is nice idea for more hard to guess.

Please permit my poor english.


nobunobu

Just popping in
Posted on: 2005/1/5 14:49
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#9

Re: Xoops On Crack?

Hi! All, I'm nobunobu.
Quote:

The reason why I don't use dev.xoops.org at all is the security reason.
JM2 has reported xoopsforge is quite insecure.
nobunobu also says it is quite danger.
(Although I've never checked yet, the two person's skill is trusted enough.)

Yes, MyXoopsForge has XSS(Cross Site Scripting) vulnerability, in many parts.
Originally, JM2 taught me this vulnerability.
And I fixed only for my limited use.
I know some fixes are done until 1.07Beta.
But it's incomplete.
So, even now, I can find some XSS vulnerability at dev.xoops.forge.

As GIJOE said, myXoopsForge also uses following code to get parameters.
foreach ($HTTP_POST_VARS as $k => $v){
    ${
$k} = $v;
}
foreach (
$HTTP_GET_VARS as $k => $v)
{
    ${
$k} = $v;
}

and many parameters are passed directly to screen without sanitizing.

As you know,PHP is very convenient and easy language to build dynamic web site.
But, these convenience may mislead to make unsecure site.
Many XOOPS modules are growing and getting many function for getting more convenience and usability.
But, we have to take care more and more for keeping security with making XOOPS Core & Modules.

So, I'm trying rebuild WordPress XOOPS Module to make more secure and to have clear logic,now.

P.S.
It's hard for me to write long English article.
It took about one hour.

Regards.


nobunobu

Just popping in
Posted on: 2004/11/8 0:33
nobunobu
nobunobu (Show more)
Just popping in
Posts: 60
Since: 2004/5/23
#10

Re:WordPress

Quote:

fnaqzna wrote:
I'm having just one problem with it. Some tard is spamming the comments section. It's the same content, slightly different email addresses and radically different IP addresses every time.

I've set it so I have to approve the comments, but the spam keeps coming. I'm looking for an alternative if this doesn't stop.
.:


If you are using WordPress latest release, one of WordPress Plugins
WPBlacklist 1.21
may help you.

Unfortunately WPBlacklist latest release 2.61 may not work correctly with XOOPS Module, so I'll trying it work well with my module, now.

If you can read and understand Japanese, you may also find a further information for WPBlacklist 1.21,
[Here - aoiro@Blog]



TopTop
(1) 2 »