91
Mithrandir
Re: Xoops On Crack?

Quote:
And the second step,
Use ticket system for preventing it from CSRF.

Step 1 (removal of foreach ($_SUPERGLOBAL) and extract ($_SUPERGLOBAL) ) completed in 2.1

I will work on implementing XoopsGTicket in 2.1 as well.

92
svaha
Re: Xoops On Crack?
  • 2005/1/5 12:52

  • svaha

  • Just can't stay away

  • Posts: 896

  • Since: 2003/8/2 2


A solution could be that every 'local' community site forms a kind of documentation team, that translates the local activities to english and the activities of the main community into the local language.

93
carnuke
Re: Xoops On Crack?
  • 2005/1/5 12:59

  • carnuke

  • Home away from home

  • Posts: 1955

  • Since: 2003/11/5


There appears to be at least 2 important forks to this thread:

- The logistics of integrating support for security issues
- Ongoing technical changes to improve security.

Ergo, I move to create a more formalised discussion of these subjects.

94
kiwiguy
Re: Xoops On Crack?
  • 2005/1/5 13:37

  • kiwiguy

  • Friend of XOOPS

  • Posts: 295

  • Since: 2004/4/19


Sorrry could not help myself when iseen the Subject "Xoops on Crack" I immediatly thought that drugs were illegal and i wonder what XOOPS looks like stoned...

Sorry I think I come back when I am sober haha carry on.

kiwiguy (hiccup)

95
nobunobu
Re: Xoops On Crack?
  • 2005/1/5 14:49

  • nobunobu

  • Just popping in

  • Posts: 60

  • Since: 2004/5/23


Hi! All, I'm nobunobu.
Quote:

The reason why I don't use dev.xoops.org at all is the security reason.
JM2 has reported xoopsforge is quite insecure.
nobunobu also says it is quite danger.
(Although I've never checked yet, the two person's skill is trusted enough.)

Yes, MyXoopsForge has XSS(Cross Site Scripting) vulnerability, in many parts.
Originally, JM2 taught me this vulnerability.
And I fixed only for my limited use.
I know some fixes are done until 1.07Beta.
But it's incomplete.
So, even now, I can find some XSS vulnerability at dev.xoops.forge.

As GIJOE said, myXoopsForge also uses following code to get parameters.
foreach ($HTTP_POST_VARS as $k => $v){
    ${
$k} = $v;
}
foreach (
$HTTP_GET_VARS as $k => $v)
{
    ${
$k} = $v;
}

and many parameters are passed directly to screen without sanitizing.

As you know,PHP is very convenient and easy language to build dynamic web site.
But, these convenience may mislead to make unsecure site.
Many XOOPS modules are growing and getting many function for getting more convenience and usability.
But, we have to take care more and more for keeping security with making XOOPS Core & Modules.

So, I'm trying rebuild WordPress XOOPS Module to make more secure and to have clear logic,now.

P.S.
It's hard for me to write long English article.
It took about one hour.

Regards.

96
GIJOE
Re: Xoops On Crack?
  • 2005/1/5 20:21

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi Mithrandir.
Quote:
I will work on implementing XoopsGTicket in 2.1 as well.

'G' just means my personal use.

Please name them gerenally for the core.

class XoopsTicket instead of XoopsGTicket
$_SESSION['XOOPS_STUBS'] instead of $_SESSION['XOOPS_G_STUBS']
$_POST['XOOPS_TICKET'] instead of $_POST['XOOPS_G_TICKET']

97
Mithrandir
Re: Xoops On Crack?

Ok, thanks - did wonder if a "GTicket" was a term that was universally accepted

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess? I notice that you use it together with __FILE__ - but that is something a clever hacker could find out, isn't it? Or is it simply that it will make it even more annoying to figure out, when combined with the time and the other things going into the encryption?

98
brash
Re: Xoops On Crack?
  • 2005/1/5 22:45

  • brash

  • Friend of XOOPS

  • Posts: 2206

  • Since: 2003/4/10


Wow! What a great read. English is one of the hardest languages to learn, I struggle with it every day and it is my native tounge . I just like to say how much it is appreciated that members from the very active Japanese communities are making such an effort to clarify things for us .

99
nobunobu
Re: Xoops On Crack?
  • 2005/1/5 23:27

  • nobunobu

  • Just popping in

  • Posts: 60

  • Since: 2004/5/23


Hi Mithrandir.
Quote:

Mithrandir wrote:
Ok, thanks - did wonder if a "GTicket" was a term that was universally accepted

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess? I notice that you use it together with __FILE__ - but that is something a clever hacker could find out, isn't it? Or is it simply that it will make it even more annoying to figure out, when combined with the time and the other things going into the encryption?


In strict meaning, "salt" parameter in GTicket is not a "salt" for random seed.
GTicket salt may only be used for identifing each ticket tocken.
So he uses it together with __FILE__ for getting uniq identifier easyly.

In GTicket system logic, token is generated with timestamp and PATH Enviroment variable and XOOPS_DB_PREFIX , for other user hard to guess.

GIJOE and we know, many XOOPS users use XOOPS_DB_PREFIX leaving default value "xoops", and
Using default XOOPS_DB_PREFIX is weak, if some module has SQL Injec vulnerability.
So, GIJOE recommends , XOOPS users should use their own XOOPS_DB_PREFIX string.
("Oreteki" installer makes random string for XOOPS_DB_PREFIX default).

Another ticket system made by Minahito, use following thing as salt for randam seed.
md5(XOOPS_ROOT_PATH.XOOPS_DB_NAME.XOOPS_DB_USER.XOOPS_DB_PASS)

I think, it is nice idea for more hard to guess.

Please permit my poor english.

100
m0nty
Re: Xoops On Crack?
  • 2005/1/5 23:57

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


i agree with Brash.. i'm loving this thread, it's rather informative and even from a non coder point of view (me) i'm pretty much understanding whats going on..

@nobunobo, no apology needed there, i followed it pretty easy and your explanation was easily understood :)

Login

Who's Online

54 user(s) are online (25 user(s) are browsing Support Forums)


Members: 0


Guests: 54


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits