Hm. This answers a lot of questions

any progress for XOOPS core v2.0.10, anyone can tell...?

can't tell from here.

Yogi Bera: "It ain't over till it's over"
Yogi Bear: "Let's go look for some pic-ci-nic baskets"

lmao.. i guess you're having a day full of sarcasm then today Don?

Quote:

Sure, just like MS Windows, eh?

The huge advantage of open source is that *anyone* can look at it, and if they find a security problem, not only can they tell everyone else, the discoverer can *fix* it (or at least tell someone else who can fix it). And then the fix will be distributed to the rest of the community quickly.

No lobbying to get laws passed to prevent publication of security issues; no delaying patch distribution because admitting there's a problem might interfere with a Marketing campaign - just find it, fix it, and fling it out there.

So, all you 733t coders, if you know there's a problem What have you done about fixing it? Producing Protector is great, but it is not the same as fixing the underlying problem. Herko isn't the only Core Team member; how have you contacted the rest of them? Or have you bothered?

of course they have bothered!! why wouldn't they have?

what has been done? well the protector module helps, and if you read the rest of the pages you'd know that protector will be integrated into the core. other things have been done, 2.0.7.3 included lots of security related fixes, XOOPS 2.0.9.2 also improved more on security..

underlying problem? well nothing is 100% secure, you fix 1 security issue and some1 always finds another way to circumvent it.. try downloading the source yourself, look at it, and if you spot any issues then report them in the proper manner (that's if you're capable and knowledgeable to do so) it's not an easy task to spot flaws.. and well this last 2 weeks alone as seen more seen security issues related to apache, and other other server software etc.. so nobody is perfect in their programming..

it's alright for you to say what is being done about it and to be honest i don't know how you can actually say that nothing is being done about it or make a remark about whether the core team have bothered to do anything about it.. and btw nobody here calls themself a 733t coder

if you have some suggestions then suggest them. i'm sure the dev site and the sourceforge will give ou more info if you bother to read them before making your presumptions.

if a security issue wasn't known to the team then how the hell can they fix it, security is high on the priority list and always has been.

Yeap, progress is being made on 2.0.10, as Onokazu announced yesterday on the sourceforge developers forum.

From his posting:
Quote:

So yes, members who recieved "little thank yous" from the community, are trying to pay us back (not that they needed to, but thats just the type of guys they are)

Hope people find this informative.....

PHP Security Consortium is born
----> you will find their first publication The PHP Security Guide (free download)
perhaps a way to increase our security knowledge ?
http://phpsec.org/
just my 2cnt...
bye
marco

I read this last week, and found it to be a very good primer on 'thinking secure' in development.

Don't forget to push module developers to think secure too. 3rd party mods are the weakest links.

So Protector is making it into the core. Hopefully with more docs and much easier maintenance. Example is if you enable it without thinking you just might end up with hundreds of pages of "violations" that might actually be your own users doing normal things. Tedious trying to filter the real violations from normal and then trying to delete the logs. Enable a mod like chat and you'll instantly get violations. And those violations all appear as anonymous even with the users logged in. Disabling the Protector block for registered users doesn't help, I guess it is the mainfile.php pre/postcheck lines.

good luck folks.