101
Anonymous
Re: Xoops On Crack?
  • 2005/1/6 0:50

  • Anonymous

  • Posts: 0

  • Since:


Quote:

GIJOE wrote:
Moreover, I don't like the interfaces of newbb2.
It works quite buggy with IE5.


In which way? Can you give more infos to this statment, so we can fix this.

Quote:

And newbb2 is also insecure with XSS.
(Of course, I'll never demonstrates XSS in this site.)

newbb2 kept me away from www.xoops.org or dev.xoops.org ...
(Although I respest Predator...)


So would be nice to now where the point are in the newbb 2.0 which shall be insecure so we can fix them. The issues which has Onokazu discribed on dev.xoops.org are added and fixed and comes with the Newbb 2.0.1 which will then the official release, if there are more please send me a hint by PM or email, so it can be fixed.

Due to myxoopsforge, this module is nearly 1 year old and was following the coding way old modules from this time had, many old core modules from this time got this way of coding and had never heared something about security .

The myxoopsforge is currently in overwork in many parts also in security from mercibe and his team, also i will drop in later to overwork this big module.

102
minahito
Re: Xoops On Crack?
  • 2005/1/6 1:50

  • minahito

  • Just popping in

  • Posts: 6

  • Since: 2004/6/29


Quote:

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess?

Yes, you are right.

I think as follows:

'XOOPS_PREFIX' should be 'salt'.(See Mozilla Thunderbird user's directory prefix)
if 'XOOPS_PREFIX' is set up at random, We can write code:
$salt=XOOPS_ROOT_PATH.XOOPS_PREFIX;


A user who doesn't set up 'XOOPS_PREFIX' at random will be helped by this script. this script changes 'XOOPS_PREFIX'. but, there is risk, because there is no English document.

If a programmer reads a code, he will know all of the script. I hope that he introduces script in English.

Translation of document isn't important. I learned many 'programming technique' from the American book written in English.(we can buy American books in Amazon Japan.) but I can't read English.

We may not be able to talk and exchange a document, because many japanese aren't good at English. but, we can exchange 'proguram code'. 'program code' is an excellent international language for us. that is better than Esperanto.

103
hervet
Re: Xoops On Crack?
  • 2005/1/6 8:26

  • hervet

  • Friend of XOOPS

  • Posts: 2267

  • Since: 2003/11/4


Mith,

Do you think that the XoopsTicket class will be available in the 2.0.x series ?

Bye,
Hervé

104
GIJOE
Re: Xoops On Crack?
  • 2005/1/6 8:42

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

Mithrandir wrote:
Ok, thanks - did wonder if a "GTicket" was a term that was universally accepted

Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess? I notice that you use it together with __FILE__ - but that is something a clever hacker could find out, isn't it? Or is it simply that it will make it even more annoying to figure out, when combined with the time and the other things going into the encryption?

Where do I use __FILE__ as salt ?
I use __LINE__ instead of __FILE__.
Although __FILE__ of caller is static, __LINE__ of caller is variable by the version of the file. (it makes harder to guess)

The other topics have been already written by nobunobu. (Thanks!)

Quote:

nobunobu wrote:
In GTicket system logic, token is generated with timestamp and PATH Enviroment variable and XOOPS_DB_PREFIX , for other user hard to guess.

GIJOE and we know, many XOOPS users use XOOPS_DB_PREFIX leaving default value "xoops", and
Using default XOOPS_DB_PREFIX is weak, if some module has SQL Injec vulnerability.
So, GIJOE recommends , XOOPS users should use their own XOOPS_DB_PREFIX string.
("Oreteki" installer makes random string for XOOPS_DB_PREFIX default).

This is just what I want to say

I think it is enough to preventing from malious guessing by these combination.
__LINE__ * microtime() * XOOPS_DB_PREFIX * $_SERVER['path']

105
GIJOE
Re: Xoops On Crack?
  • 2005/1/6 8:50

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi minahito.
It sounds strange I talk to you in English

Quote:

A user who doesn't set up 'XOOPS_PREFIX' at random will be helped by this script. this script changes 'XOOPS_PREFIX'. but, there is risk, because there is no English document.

Don't mind.
Already I've translated it.

see the thread.
XOOPS_DB_PREFIX' clarification

brash made more modified one though I've never tested yet.

I hope it is added into XoopsFAQ.

106
GIJOE
Re: Xoops On Crack?
  • 2005/1/6 9:07

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi Predator.

At first, I apologize to you about my absence of developping newbb2 whatever I promised.

Quote:

Quote:

GIJOE wrote:
Moreover, I don't like the interfaces of newbb2.
It works quite buggy with IE5.

In which way? Can you give more infos to this statment, so we can fix this.

As I wrote.

with IE5...
- Can't display drop-down of javascript (often success, often fail)
- Often redirect somewhere after 0-30sec viewing
- Some threads can be read at all.(403 error)

Anyway newbb2 uses too many javascript.
How can I change 'older'->'newer' if javascript is disabled?

I believe javascript should be a hobbit instead of shoes workman himself.

Quote:

So would be nice to now where the point are in the newbb 2.0 which shall be insecure so we can fix them. The issues which has Onokazu discribed on dev.xoops.org are added and fixed and comes with the Newbb 2.0.1 which will then the official release, if there are more please send me a hint by PM or email, so it can be fixed.

Perhaps, it's just losing the point.
minahito reported that 2.0.1 patches strange point instead of the point of XSS injection.
I'll tell you if I have vacant time.

107
nobunobu
Re: Xoops On Crack?
  • 2005/1/6 9:24

  • nobunobu

  • Just popping in

  • Posts: 60

  • Since: 2004/5/23


Hi GIJOE
Quote:

GIJOE wrote:
Where do I use __FILE__ as salt ?
I use __LINE__ instead of __FILE__.
Although __FILE__ of caller is static, __LINE__ of caller is variable by the version of the file. (it makes harder to guess)

Oooooo..oops , I couldn't notice the word "__FILE__" in Mithrandir's post.
I firmly believed this word was "__LINE__".
Maybe, Mithrandir also made TYPO in his post.
Quote:

hi minahito.
It sounds strange I talk to you in English

Me too!!

108
Mithrandir
Re: Xoops On Crack?

Quote:

GIJOE wrote:

Where do I use __FILE__ as salt ?
I use __LINE__ instead of __FILE__.
Although __FILE__ of caller is static, __LINE__ of caller is variable by the version of the file. (it makes harder to guess)

I'm sorry, you do use __LINE__, I just can't read something and write it down elsewhere, it seems

Quote:

Quote:

nobunobu wrote:
In GTicket system logic, token is generated with timestamp and PATH Enviroment variable and XOOPS_DB_PREFIX , for other user hard to guess.

GIJOE and we know, many XOOPS users use XOOPS_DB_PREFIX leaving default value "xoops", and
Using default XOOPS_DB_PREFIX is weak, if some module has SQL Injec vulnerability.
So, GIJOE recommends , XOOPS users should use their own XOOPS_DB_PREFIX string.
("Oreteki" installer makes random string for XOOPS_DB_PREFIX default).

This is just what I want to say

I think it is enough to preventing from malious guessing by these combination.
__LINE__ * microtime() * XOOPS_DB_PREFIX * $_SERVER['path']

OK, we can always change that later, if we come up with a better way to generate the salt.

I will also look into the random generation of database prefix during installation (based on Oreteki) and a way to change the prefix - based on GIJOE and Brash's work.

109
JMorris
Re: Xoops On Crack?
  • 2005/1/6 11:36

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Would somebody please "Sticky" this thread?!

Awesome information in this thread.

Thank you all!

110
brash
Re: Xoops On Crack?
  • 2005/1/6 12:14

  • brash

  • Friend of XOOPS

  • Posts: 2206

  • Since: 2003/4/10


If anyone is interested in renaming their XOOPS prefix to help protect them from SQL injection attacks, this script from GIJOE's forum should do it;

1) Make backup of mainfile.php AND your XOOPS database

2) Copy script to file and name it something like change_pre.php

3) Upload it to your XOOPS root directory

4) Change permissions on your mainfile.php so the server can write to it

5) Access file by going to <Xoops_URL>/change_pre.php and set new table prefix

6) Delete change_pre.php (important! If you don't do this, people will be able to alter you table prefix!)

7) Set permissions back on your mainfile.php so the server can't write to it.
<?php
  
include 'mainfile.php';
  if ( !
is_writable(XOOPS_ROOT_PATH.'/mainfile.php') ) {
    exit(
'mainfile.php is not writable');
  }
  
  if ( empty(
$_POST['submit']) ) {
    include 
XOOPS_ROOT_PATH.'/class/xoopsformloader.php';
    
$sform = new XoopsThemeForm("Changing XOOPS_DB_PREFIX""prefixform"xoops_getenv('PHP_SELF'));
    
$sform->addElement(new XoopsFormText("PREFIX"'prefix'5080XOOPS_DB_PREFIX), true);
    
$sform->addElement(new XoopsFormHidden("oldname"XOOPS_DB_PREFIX));
    
$sform->addElement(new XoopsFormButton('''submit''change''submit'));
    
$shtml $sform->render();
  } else {
    
$shtml '<h4 style="text-align:left">Changing XOOPS_DB_PREFIX '.XOOPS_DB_NAME.'</h4>';
    
$shtml.= '<table class="outer" width="100%" cellpadding="4" cellspacing="1">';
    
$shtml.= '<tr align="center"><th>From</th><th>To</th></tr>';
    
    
// changes
    
$local_query 'SHOW TABLE STATUS FROM `'.XOOPS_DB_NAME.'`';
    
$result $xoopsDB->queryF($local_query);
    
$count 0;
    if ( 
$xoopsDB->getRowsNum($result) ) {
      while( 
$row $xoopsDB->fetchArray($result) ){
        if (
$count == 0) { $class 'even'; } else { $class 'odd'; }
        
$count++;
        
$newtable str_replace(XOOPS_DB_PREFIX.'_',$_POST['prefix'].'_',$row['Name']);
        
$sql "RENAME TABLE ".$row['Name']." TO ".$newtable;
        
$ret $xoopsDB->queryF($sql);
        if ( 
$ret ) {
          
$shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>'.$newtable.'</td></tr>';
        } else {
          
$shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>Failed. sorry...</td></tr>';
        }
      }
    }
    
$shtml.= '</table>';
    
$shtml.= '<div><a href="'.XOOPS_URL.'/">return to Top</a></div>';
    
// modifying mainfile.php
    
$main file(XOOPS_ROOT_PATH.'/mainfile.php');
    foreach ( 
$main as $val ) {
      if ( 
strpos($val,'XOOPS_DB_PREFIX')!==false ) {
        
$buf[] = str_replace($_POST['oldname'],$_POST['prefix'],$val);
      } else {
        
$buf[] = $val;
      }
    }
    if (!
$fp fopen(XOOPS_ROOT_PATH.'/mainfile.php'"wb") ) {
      echo 
"writing mainfile.php failed. please edit manually";
    } else {
      
fputs($fpjoin(""$buf));
      
fclose($fp);
    }
    
  }
  include 
XOOPS_ROOT_PATH.'/header.php';
  echo 
$shtml;
  include 
XOOPS_ROOT_PATH.'/footer.php';
?>

Login

Who's Online

207 user(s) are online (138 user(s) are browsing Support Forums)


Members: 0


Guests: 207


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits