81
GIJOE
Re: Xoops On Crack?
  • 2005/1/5 9:45

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi hervet.

The best documentation in I've ever seen is the one minahito wrotes.
But it just a Japanese.

I can't describe the documentation for scurity well in English.

Anyway, you should know this:
foreach( $_POST as $k => $v ) { ${$k} = $v ; }

extract$_POST ) ;

Both are MUST avoidable coding.

82
giba
Re: Xoops On Crack?
  • 2005/1/5 9:48

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Quote:

GIJOE wrote:
Thus I made MEMO inside the archive.
I believe that it is a good documentation to understand the action of Protector.
But it is written in Japanese.


@Gijoe - Our Yuji/FutureSpy collaborator could translate this document?

83
GIJOE
Re: Xoops On Crack?
  • 2005/1/5 10:06

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:
why you dont open a project at dev.xoops.org for your protector module? IMHO its the best place for everyone want to develope a module and all people can support it with send bugs and features.

The reason why I don't use dev.xoops.org at all is the security reason.
JM2 has reported xoopsforge is quite insecure.
nobunobu also says it is quite danger.
(Although I've never checked yet, the two person's skill is trusted enough.)

What can I do if the site is cracked and the archive of Protector is replaced maliciouly?

And I don't know the skill of the server's adminstrator.
Since PEAK XOOPS is administrated by me, I can believe the skill a little at least

Moreover, I don't like the interfaces of newbb2.
It works quite buggy with IE5.

And newbb2 is also insecure with XSS.
(Of course, I'll never demonstrates XSS in this site.)

newbb2 kept me away from http://www.xoops.org or dev.xoops.org ...
(Although I respest Predator...)

-----
(edit)
I've just learnt newbb2 looks not so buggy with Opera.
But it is too many javascripts in fact.

84
GIJOE
Re: Xoops On Crack?
  • 2005/1/5 10:18

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


I respect Yuji/FutureSpy.
He made efforts creating the language files for Protector.
I think people who speak Spanish should thank to him.

Anyway, his read/write Japanese very well.
Perhaps, it is the best way to be translated by him for Brazillians.

85
GIJOE
Re: Xoops On Crack?
  • 2005/1/5 10:24

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi Mithrandir.
Quote:

GIJOE has already told me that he would be happy to see Protector code integrated in the XOOPS core, but I had hoped he would play a more active role in this implementation and as official security officer - I hope GIJOE is considering this (he would get back to me shortly) and will keep you informed, when I get something more to say.

Don't misunderstand it, please.

The action of Protector is like a plaster.

If there is no injury, plaster is no use.

You -core develpper- should make the core without injury instead of making plasters.

Anyway, eliminate foreach($_POST...) or extract($_POST) from the codes of core.
This is the 1st step.

86
GIJOE
Re: Xoops On Crack?
  • 2005/1/5 10:29

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


And the second step,
Use ticket system for preventing it from CSRF.

(Protector is fundamentally good-for-nothing against CSRF)

The class of XoopsGTicket will be a good sample for you.

Don't forget adding the ticket into not only posting stage but also previewing stage.

87
hervet
Re: Xoops On Crack?
  • 2005/1/5 10:36

  • hervet

  • Friend of XOOPS

  • Posts: 2267

  • Since: 2003/11/4


Hi GIJOE,

Your advices are really useful. Thank you very much for this.

Could it be possible for you to prepare a short document with, may be if it's "shorter" for you, some references to other documents on what to do and what not to do and why not publish it on dev.xoops.org or in the wiki please ?

PS : A question I always have, is the admin part of a module safe ?

Bye,
Hervé

88
carnuke
Re: Xoops On Crack?
  • 2005/1/5 10:39

  • carnuke

  • Home away from home

  • Posts: 1955

  • Since: 2003/11/5


Thank-you GIJOE for expressing your own feelings regarding your "demonstration" I hope others will accept this and not criticise you too severely. Sometimes actions speak louder than words and when there are language barriers, a demonstration can at least prove a point.

As Mith said, your committments are respected, but could you accept at least the role of "Advisor" ? And what about these other developers, JM2 and nobunobu, would they also be interested in adding their comment/ skills in a team effort for the security of xoops?

Surely we must work together wherever possible and share our resources for a common purpose. Lay aside any bad feelings that may be. The language need not be a barrier, if good will and co-operation is felt by all parties.

[edit] sorry nobunobu for spelling your name incorrectly. Now edited.

89
danielh2o
Re: Xoops On Crack?
  • 2005/1/5 11:03

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


Quote:
Anyway, eliminate foreach($_POST...) or extract($_POST) from the codes of core.
This is the 1st step.

Quote:
And newbb2 is also insecure with XSS.

Quote:
And the second step,
Use ticket system for preventing it from CSRF




GIJOE,
Thanks, please tell us more... all security issues you noticed about current XOOPS core and other famous modules, would you mind to share the solutions(if any) to fix too?
At least, all xoopsers should be alerted for all opened-holes...


Xoops Proj.Manager(s) or Dev.Team(s),
Should there be a security guidelines accompany with XOOPS development guidelines(if any)?
I think it is good for setting up a common practice...

90
rowdie
Re: Xoops On Crack?
  • 2005/1/5 11:10

  • rowdie

  • Just can't stay away

  • Posts: 846

  • Since: 2004/7/21


Thank you GIJOE for posting here and explaining a few things, it is very much appreciated by all.

About documentation... why don't you just write in your native language and ask on the Japanese forums if someone can translate it to English for you? Writing documents is difficult in any language, but translating is easier, so you'll probably easily find people willing to help. What do you think?

Rowd

Login

Who's Online

322 user(s) are online (262 user(s) are browsing Support Forums)


Members: 0


Guests: 322


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits