xoops forums

Forum Index


Board index » All Posts (Vahrokh)




Vahrokh

Just popping in
Posted on: 2005/8/2 8:18
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#1

Re: A small suggestion :: Security

Quote:

After MyWebResource was hacked, I discovered that cPanel had this nice little feature to manage Apache indexes. The problem is, by default, this feature is set to fancy indexing. This basically means that if you do not have a index.* in every folder, Apache will generate one for you, thus allowing anyone in the world to browse the folder structure of your site. NOT GOOD!

....

I may just be p@r@n01d, but hey, If you're not p@r@n01d, your're not paying attention.

/2 cents

Best Regards,

JMorris


While I agree that placing such files is a good practice, I don't agree when you make il look like they are needed for site security nor I agree that letting people browse the folder structure of the site should make throw a fit.

If you set the right permissions for the few sensitive folders, you are set (yet, put those index and .htaccess in _every_ 777 flagged folder - they are possible open holes already even after that). Either the curious "digging" user will see nothing (when opens a PHP file -> Apache executes them, not show the source) or will see some random picture he'd see browsing the site anyway.

Of course security by obfuscation helps, but it's not enough. You may place every index.html and .htaccess in the world but if you don't protect the sensitive folders with true system rights anyone knowing how XOOPS works can attempt breaking into your site.

This is the only thing I never liked of XOOPS and other easy to install portals, too often the modules want for you to create 777 flagged folders and then slap stuff inside them. After some time installing and uninstalling stuff, the amount of freely accessible folders tends to grow, and the more the worse.
And if you get co-workers or consultants working on the site, they very easily tend to mess with freely accessible folder rights the first time they get some access denied developing their stuff.


Vahrokh

Just popping in
Posted on: 2005/7/21 11:39
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#2

Re: Which internet-grands use XOOPS?

Quote:

So, if you say that it is a signal that the XOOPS community doesn't have (m)any high profile sites on its list of clients, then I disagree. At least when you say it is a signal about the quality of the system.


I have seen lots of XOOPS sites around, they just don't go around with a big e-p3nis stick about it.

I.e. I myself have co-developed like 10 sites, some of them visited by a sizable amount of visitors, but one of the contract clauses was not to make public the solutions we used. I left that job when we were studying with the customer a site with about 2.5M visits a day.

I see XOOPS as a professional's tool, something you love and use everyday for regular customers, not something flashy to boast around to raise the market share of it.


Vahrokh

Just popping in
Posted on: 2005/7/21 11:30
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#3

Re: Which internet-grands use XOOPS?

Ok, no big sites use Xoops, XOOPS is just used by my grandma's "Old Aunt Mary's Cake Recipes".

Now that you know the oh so sad truth please move to Drupal and have a blast with it.


Vahrokh

Just popping in
Posted on: 2005/6/1 8:27
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#4

Re: XOOPS is forked

There are forks like those that happened to PHPNuke. To overcome technical limitations, limited architecture etc.

Then there are the personality based forks.

Guess what? It's sad to see a product with much potential being torn apart and forked because of litigations and not because of technological problems.

Don't tell me it's impossible to merge the forces to make a cool looking AND secure AND light weight API Xoops, because you know the truth, it's BS. From the (possibly uninformed but that's what you have) "end user" point of view, all of this is just an huge egos war.

And know what? My company that relied on XOOPS after the big PostNuke drama will have to move to other products. We are already discussing it, and I am being hold responsible for the "bad choice" (we invested about 2 man years in XOOPS based works that have to be kept up to date and security patched etc. etc.).

Serious operations need to know that they are not wasting time, money and effort and research in something that will implode to dust - the uncertainty is after all what keeps big companies from going full open source (the ethernal question: "what if this critical application dies / becomes obsolete and no updates are done? Who wants to be responsible for it?".

In my humblest opinion, uncontrolled forks galore are one the biggest open source projects killers.
Sure, a fork may lead to a better product. May.
But how many forks water down projects till they smear into oblivion?

Sorry for the harsh post. I am pissed a lot. And in trouble in my job because of this sorry event.


Vahrokh

Just popping in
Posted on: 2005/6/1 7:51
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#5

Re: My thoughts on Whats going on with Xoops

Quote:
Why can't it be made public because it is customised? (plea, not criticism )


Because we got asked to create custom editors, custom image manager (less powerful than the default one but... we can only do what the customer wants...), custom printing, custom SEO by page, URL and other... I don't see it being merged back to the official source easily at all.


About WF-Sections and it being abandoned: some modules are just too good and powerful to "die". Someone will maintain them because they are more useful and featured than most of similar others, so I am positive about it going on.

Even the criticized newbb is better than it seems.
Just tweaking it a bit (and most of all removing the "bogus behavior" tied to each image - try HTTPSpy with a newbb page to see what I mean - on our test computers made the module go excruciantly slow to load on Explorer (worked fine on Netscape and Firefox).

Last and not least, we tried most of the DHTML editors out there. The Wysiwyg editor that is already hot on the Xoopseditors list because it's well integrated with XOOPS image editor itself, proved to be the best at being fast, portable, easily customized, can produce real W3C validating XHTML code unlike "cooler editors" like Spaw and others (we had to certify every and each page of the site to be W3C compliant (W3C Validator). We had to fix several minor bugs but they are minor (expecially the property editors - they loaded much stuff off badly built URLS).

We used several other modules too. None was 100% ready "as is" but the overall quality was more than good, so I don't think XOOPS suffers of some "crappy modules" syndrome.
Sure, you will find a module slapped together and released half done and never updated, but they are easy to spot and to avoid.


Vahrokh

Just popping in
Posted on: 2005/5/31 11:26
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#6

Re: My thoughts on Whats going on with Xoops

About WF-Section

I have been responsible in my company to make a XHTML and accessibility and documented and most of all "working" version of WF-Section.

While it's deeply customized so it cannot be made public, one thing I can tell for sure, it's an hell of a long work (just the manual alone is 120 pages with pictures).

In easier words: WF-Section needs at one dedicated guy just for maintaining itself, which is a no go for busy people like the XOOPS Devs.

About the default modules being crap:
When I enter the XOOPS site, it says "powered by You".

Yeah, like other commendable open source initiatives you get a nice product and for free. But powered by You means that You are supposed to help in the project, else You will get the default stuff and thank others for having done those "crap" modules which would not exist at all if some generous people would not have donated their time for them.

Want it better? Want it different? Good, they are waiting for your shining better module that will happily include in their module pack.


Vahrokh

Just popping in
Posted on: 2005/5/31 10:52
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#7

Re: Is XOOPS used for business applications?

We are developing a lot of business WEB sites based on XOOPS and customizations for it (sorry I cannot disclose the URLS of our customers). Intranets too, since XOOPS is good for publishing internal documentation and for hosting custom modules to manage employees and other administrative tasks.

We work now with Public Administration too. They wanted a fully XHTML and accessibility compliant XOOPS release, so we built it for all the most important modules (i.e. wf-section, newbb, Wysiwyg editor and other important modules). WF-Section and Newbb proved to be very long to fix (and we had to make newbb like 10 times faster to meet the specifications) but the end result is outstanding and really professional (eh eh sorry if I seem too proud of it... because I am ).

So go for professional XOOPS sites, you won't be disappointed.


Vahrokh

Just popping in
Posted on: 2005/5/19 8:51
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#8

Re: What's going on with XOOPS

I'll throw my 2 ugly cents at this; 2 cents that come off a "random nameless XOOPS user / mod developer" and how he feels all of this.

The feeling I have is about a former "Xoops is my creature" developer that sees that the direction of the software is not following his will any more and so decides to branch off it and do another release closely following his "directions" and style.
I won't judge about this action because it's useless to the prosecution of this branch of Xoops.

I will instead say that this moment of great weakness of XOOPS can be turned to great advantage with good timing and community management: XOOPS can now make the big leap from the former "son of a single man" concept (with many contributors) to shared source (shared source = with many protagonists that add to it since the planning phase).
Of course managing the new course will be really difficult due to the fact that the entropy a large group of "protagonists" can easily slip out of control and disintegrate the development in shards of sub-branches off litigants etc.

But if the effort will succeed, it will lead to a fully "community oriented and made" (sorry for my awful English) software that will surpass any "single guru centric" effort.

As for the JP release: you JP guys should think that who comes to your site should be able to understand something of it, expecially when you'll put up an official JP XOOPS home page.
As of now navigating the site for information on the new software is impossible, it's like those sites in strict German or French (with no English translation) that automatically cut off all non German and French people looking for their contents.


Vahrokh

Just popping in
Posted on: 2005/5/13 11:18
Vahrokh
Vahrokh (Show more)
Just popping in
Posts: 16
Since: 2005/1/17
#9

Re: Call for additional heads (and hands)

Quote:

solo71 wrote:
Quote:

marcan wrote:

So let's look ahead of us and let's build something greater than ourselves !


I like this guy !



Me too.

After all this is what XOOPS means to me.

"Normal, average people that put together brings up something BIG".

The better the community, the bigger the BIG becomes.

My 2 dragon cents...



TopTop