21
svaha
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 11:05

  • svaha

  • Just can't stay away

  • Posts: 896

  • Since: 2003/8/2 2


Ok, I deleted agendaX
Are there also known security flaws in pical? If not I will try that one.

22
Jan304
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 12:21

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


I'm suprised of this post by GIJOE. I always tought he was posting on a professional way, but this... Scaring people like hell and advicing to remove in place of fixing it. I hope not for own profit...

Check the post by onokazu:
http://www.xoopscube.jp/modules/news/article.php?storyid=195

You might check the Agenda-X 2.0 beta 2 version, I don't think this version has any security flaw. (edit: beta 2 has, rc hasn't)
http://sourceforge.net/project/showfiles.php?group_id=83736&package_id=109895

And again, if you goto the post by Onokazu there is a fix listed.

Update: New version released:
https://xoops.org/modules/mydownloads/singlefile.php?cid=24&lid=442

23
wjue
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 13:43

  • wjue

  • Quite a regular

  • Posts: 315

  • Since: 2002/8/3 7


I agree, scarring people in this manner is not a professional practice.

The security problem mentionned here occur only if your PHP have register_global set to ON and "remote include" also set to on, "remote include" often causing security risk is well known. The latest version (1.2.2) I released is sufficiently safe. Users of 1.2.1 version can also adopte Onokazu's simple patch.

wjue

Quote:

Jan304 wrote:
I'm suprised of this post by GIJOE. I always tought he was posting on a professional way, but this... Scaring people like hell and advicing to remove in place of fixing it. I hope not for own profit...

Check the post by onokazu:
http://www.xoopscube.jp/modules/news/article.php?storyid=195

You might check the Agenda-X 2.0 beta 2 version, I don't think this version has any security flaw.
http://sourceforge.net/project/showfiles.php?group_id=83736&package_id=99635&release_id=215592

And again, if you goto the post by Onokazu there is a fix listed.

24
wjue
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 13:49

  • wjue

  • Quite a regular

  • Posts: 315

  • Since: 2002/8/3 7


Non, Monsieur !

I just have some non related problems with my registrar.

And all my sites will be back online next week.

wjue

Quote:

DonXoop wrote:
This explains why the author's own site has been down for a few days.


25
sum
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 13:56

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12


Yesterday, it was posted in the forum that the site of SourceForge.JP had been cracked.
http://sourceforge.jp/forum/forum.php?forum_id=4153
(Japanese)
There was no report to XOOPS japan team before this notice.
And it was making abruptly public for the user.

When this notice was received and the investigation began,
the security hole remained in the corrected one the other (Reported to the vender),
and there must be a possibility that contents have already been falsified by using this hole (1.2.1 former).
Therefore, the post to the XOOPS community had been performed
before information finished being settled.

Being possible to say now,

1. Isolate a pertinent module from web browsers more temporarily than accessible places.
2. Confirm whether there are signs that the cracking was tried to the access log.
3. If signs are discovered, you must confirm whether contents are falsified at once.
(In this case, you must examine the interruption of temporary service.)
4. If it can be confirmed not to be falsified, the service is restarted with a pertinent module isolated.
5. Please wait for the continued information.

26
sum
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 15:15

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12


It is so. In the great factor in this matter a loose setting
of non-safe mode, the mistake is not found.
# And, I strongly felt that it was not possible to tell various attention
# of an environmental setting in the XOOPS.jp site.

However, it is suddenly posted that crack was done by using XOOPS in SF.jp
and it is submitted to slashdot.jp.
I was considerably surprised because there is no preliminary information, too.

27
dheltzel
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 15:50

  • dheltzel

  • Not too shy to talk

  • Posts: 164

  • Since: 2003/1/8 1


I have register_globals = Off, which is the only sane setting. So, I'm not worried about this, and don't think anyone else should be. Just check that register_globals is off and most of your security holes in PHP are closed.

This doesn't make you site invincible, but secure enough.

Dennis

28
DonXoop
Re: EMERGENCY: security hole of Agenda-X

After a lot of log investigating and translation of the comments I can say I was not cracked.

Lots of attempts though. First line of defence was register_globals = Off. If a module won't work without it then it doesn't exist on my server.
Next I specificaly disallow certain files from being called in the URL. I don't depend on the module's security only.
I also use a php log so I can see any problems. Indeed this shows up there too.
Next is careful setting of permissions.
And careful set-up of Apache/PHp/MySQL.

All is well and agenda-x is still functional.

Now, you competting coders in Asia please stop fighting...

29
svaha
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 16:38

  • svaha

  • Just can't stay away

  • Posts: 896

  • Since: 2003/8/2 2


Ok, I installed agendaX 2 Beta.
Where can I see if register_globals are of or on?

30
Mithrandir
Re: EMERGENCY: security hole of Agenda-X

Can make a little PHP page (assuming test.php):
echo $variable;
?>


and access it with this url: http://www.yoursite.com/test.php?variable=RegisterGlobalsOn

If you get "RegisterGlobalsOn" written on the screen, it is on

Login

Who's Online

135 user(s) are online (87 user(s) are browsing Support Forums)


Members: 0


Guests: 135


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits