95
Hi! All, I'm nobunobu.
Quote:
The reason why I don't use dev.xoops.org at all is the security reason.
JM2 has reported xoopsforge is quite insecure.
nobunobu also says it is quite danger.
(Although I've never checked yet, the two person's skill is trusted enough.)
Yes, MyXoopsForge has XSS(Cross Site Scripting) vulnerability, in many parts.
Originally, JM2 taught me this vulnerability.
And I fixed only for my limited use.
I know some fixes are done until 1.07Beta.
But it's incomplete.
So, even now, I can find some XSS vulnerability at dev.xoops.forge.
As GIJOE said, myXoopsForge also uses following code to get parameters.
foreach ($HTTP_POST_VARS as $k => $v){
${$k} = $v;
}
foreach ($HTTP_GET_VARS as $k => $v)
{
${$k} = $v;
}
and many parameters are passed directly to screen without sanitizing.
As you know,PHP is very convenient and easy language to build dynamic web site.
But, these convenience may mislead to make unsecure site.
Many XOOPS modules are growing and getting many function for getting more convenience and usability.
But, we have to take care more and more for keeping security with making XOOPS Core & Modules.
So, I'm trying rebuild WordPress XOOPS Module to make more secure and to have clear logic,now.
P.S.
It's hard for me to write long English article.
It took about one hour.
Regards.
