1
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 10:52

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


I do not need to compete with you. Because i think it is not fair to compete with people who do not have same competences on same category. You do not read my first post and you try to create competition here to make your point. I think you have other plans and different agenda to XOOPS because you do not have competences to code your application and create your community. It let me think you try to manipulate XOOPS users opinion for your interest. My first post was:

Quote:
Programmers are busy with code and moderators with support.
Users can visit frequently the security site:

here

Users can report to developers security problems.
It is easy way to contribute.

Good Luck.


You are off topic and you do not understand it is important to users to update modules and protect at minimum XOOPS sites. XOOPS need users to contribute because it is open source project. It is not me your problem. It is your lack of competences to code your own secure module or application, create your community and your interest over xoops. It is not my interest to loose time with people like you. Act intelligent and do not loose your time to reply. You have nothing to teach me. The problem is XOOPS authentification for business professional. I

Good Luck.



2
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 9:05

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


You read my first post and you tell me it is totally against XOOPSiquette? But you do not moderate people who do stupid comments after?
Because of stupid comments programmers do not contribute and XOOPS users are stuck because XOOPS do not have competent developers. I do polite comment to moderators and developers about kernel, token, session, and show 10 days ago user data vulnerability without good scan authentication. Again I do not have any other obligation. It was my free contribution.

Good Luck.



3
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 8:25

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Because of stupid comments of ignorant Mr. JAVesey, vaughan, John_N (wish you good luck with your zarilla project).


I resume constructive comments to XOOPS users :

"As several posters have said, keeping core and modules up-to-date is one of the best things people can do"
davidl2, Forum Moderator


"Apache has mod_security, XOOPS has Protector,
Windows has security add-ons, Linux has security add-ons."
skenow

Remember to install module Protector from Mr. Gijoe site
http://xoops.peak.ne.jp/

Xoops need an extra module to be less vulnerable. It is not part of core. Actual XOOPS core do not provide that minimum security.

10 days ago connection from same IP with last 3 users accounts, moderators and admins last login.
10 days ago connection from 3 different IP, Austria, Germany and Switzerland with switch 6 users accounts.

Do not keep important users data on your XOOPS site.


I repeat my first post:

Programmers are busy with code and moderators with support.
Users can visit frequently the security site:

here

Users can report to developers security problems.
It is easy way to contribute.


After audit code and I do polite comment to moderators and developers about lack of authentication layer. I am moving sites from XOOPS 2.0.16, 2.2, XOOPS Cube joomla and drupal. Because these project developers are coding new core and it is not secure for business professional.

I have no obligation to contribute and I do polite comment.
But you reply with stupid comments. Ask Mr. Herko Formerly XOOPS.org project manager to achieve administrative task.

Good Luck.



4
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 18:01

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


PM: davidl2 Re: Security 2007/3/27
PM: phppp authentication layer 2007/3/31

"Information was send to moderators and core member. But i do not have any obligation to contribute or to code. I do audit to client to move to new cms. It was politest to comment and advise members of this project about security problems they already know they need to code new core."

The core was hacked 10 days ago, not the modules. You do stupid comments because XOOPS it is not your business product but an open source project and with your attitude professionals do not come to help you. Again you do not know what you are talking about, read XOOPS code and say there is not token. My clients are moving from xoops, XOOPS 2.0.16, 2.2, xoopscube, joomla and drupal to java cms.
It is business professional choice. I do a polite comment to XOOPS users because they need at minimum a module like protector it is not part of the core. But only stupid people reply useless to show ignorance! I do not use any xoops.

Good Luck.



5
xguide
Re: Is 2.2.3 final hacker proof ?
  • 2007/4/7 6:33

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


I can not give support if you install any xoops.org version just advise you to visit Mr. Gijoe site to get the module protector and learn to protect your site.

http://xoops.peak.ne.jp/

Good Luck.



6
xguide
Re: where do i put the avatars
  • 2007/4/7 6:29

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


You should know it is not secure to use XOOPS avatars.
Xoops.org remove this user feature to secure this site.
This vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable system by introducing a specially crafted image.

Good Luck.



7
xguide
Re: Is 2.2.3 final hacker proof ?
  • 2007/4/7 6:16

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


No it is not secure. And you can read it is not recommended by XOOPS project team.

Good Luck.



8
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 6:11

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Quote:

JAVesey wrote:
Quote:
vaughan wrote:

i said that protector module will stop practically most of the exploits that you brought up in that security focus.


xguide was also told that the reports relate to old and subsequently updated modules yet still goes on and on and on and on..............

@xguide
If you don't read posts or don't understand what is said in them, are so concerned about security and think that the XOOPS core and the current modules are vulnerable then why not use a different CMS and see how you get on with it?

Much better than your continuing to post outdated drivel on here and taking other users time to correct your misunderstandings and inaccuracies.


Mr. JAVesey,
You do not understand the problem. Your ignorance it is not your fault. But you can look at those which make worse, there is no merit, but try to look those which do better you will learn and look more intelligent.
Users need alert message to secure their XOOPS sites.
You should know GPL it is not good for business. Please learn before reply. If many users post about security problems it is not good for project but it is interest to capitalize knowledge with adds.
I tell you for free about XOOPS security problems. Last week we discuss about lack of security layer of XOOPS and different developers code have made the core a patchwork. It was demonstrated here how easy it is to hack xoops.org site accounts and user data.
Information was send to moderators and core member. But i do not have any obligation to contribute or to code. I do audit to client to move to new cms. It was politest to comment and advise members of this project about security problems they already know they need to code new core.
It is important to remember members to update modules and server software. Because xoops.org repository it is not up to date. And the XOOPS distributed package is not secure because its core only provide a simple token system. Users need extra protection. They need at minimum a module like Protector but this module do not come with XOOPS package.

Good Luck.



9
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/6 6:21

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Do you know a programming language and you think Ajann contribution is not good to secure xoops? Users do not need alert and you think it is better to see victims of hacks on the forums?

Read a good article with good decision to do with futur XOOPS development.

"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report.

"Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."

"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.

oice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.

"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.

http://www.securityfocus.com/news/11456



10
xguide
Xoops and Modules Vulnerabilities
  • 2007/4/4 16:18

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Programmers are busy with code and moderators with support.
Users can visit frequently the security site:

here

Users can report to developers security problems.
It is easy way to contribute.

Good Luck.




TopTop
(1) 2 3 4 »



Login

Who's Online

81 user(s) are online (54 user(s) are browsing Support Forums)


Members: 0


Guests: 81


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits