121
CBMax
Re: XOOPS insecure? I think not!
  • 2005/1/21 6:44

  • CBMax

  • Just popping in

  • Posts: 10

  • Since: 2004/12/28


Hm. This answers a lot of questions

122
danielh2o
Re: Xoops On Crack?
  • 2005/2/4 16:46

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


any progress for XOOPS core v2.0.10, anyone can tell...?

123
DonXoop
Re: Xoops On Crack?

can't tell from here.

Yogi Bera: "It ain't over till it's over"
Yogi Bear: "Let's go look for some pic-ci-nic baskets"

124
m0nty
Re: Xoops On Crack?
  • 2005/2/4 19:01

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


lmao.. i guess you're having a day full of sarcasm then today Don?

125
MorelyDotes
Re: XOOPS insecure? I think not!

Quote:

If XOOPS was a single, compiled, closed source, fully developed application, the vulnerability of the system could be completely controlled (but still not guaranteed!).


Sure, just like MS Windows, eh?

The huge advantage of open source is that *anyone* can look at it, and if they find a security problem, not only can they tell everyone else, the discoverer can *fix* it (or at least tell someone else who can fix it). And then the fix will be distributed to the rest of the community quickly.

No lobbying to get laws passed to prevent publication of security issues; no delaying patch distribution because admitting there's a problem might interfere with a Marketing campaign - just find it, fix it, and fling it out there.

So, all you 733t coders, if you know there's a problem What have you done about fixing it? Producing Protector is great, but it is not the same as fixing the underlying problem. Herko isn't the only Core Team member; how have you contacted the rest of them? Or have you bothered?

126
m0nty
Re: Xoops On Crack?
  • 2005/2/8 21:37

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


of course they have bothered!! why wouldn't they have?

what has been done? well the protector module helps, and if you read the rest of the pages you'd know that protector will be integrated into the core. other things have been done, 2.0.7.3 included lots of security related fixes, XOOPS 2.0.9.2 also improved more on security..

underlying problem? well nothing is 100% secure, you fix 1 security issue and some1 always finds another way to circumvent it.. try downloading the source yourself, look at it, and if you spot any issues then report them in the proper manner (that's if you're capable and knowledgeable to do so) it's not an easy task to spot flaws.. and well this last 2 weeks alone as seen more seen security issues related to apache, and other other server software etc.. so nobody is perfect in their programming..

it's alright for you to say what is being done about it and to be honest i don't know how you can actually say that nothing is being done about it or make a remark about whether the core team have bothered to do anything about it.. and btw nobody here calls themself a 733t coder

if you have some suggestions then suggest them. i'm sure the dev site and the sourceforge will give ou more info if you bother to read them before making your presumptions.

if a security issue wasn't known to the team then how the hell can they fix it, security is high on the priority list and always has been.

127
JasonMR
XOOPS 2.0.10
  • 2005/2/9 0:26

  • JasonMR

  • Just can't stay away

  • Posts: 655

  • Since: 2004/6/21


Yeap, progress is being made on 2.0.10, as Onokazu announced yesterday on the sourceforge developers forum.

From his posting:
Quote:

I would also like to let you know that 2.0.10 is ready for beta testing, which should be released officially as final in a day or two. A new feature has been added to this release to enhance security. The feature is commonly known as one-time ticket/token system, main purpose of which is to prevent CSRF attacks but can also be used to prevent multiple form submissions.


So yes, members who recieved "little thank yous" from the community, are trying to pay us back (not that they needed to, but thats just the type of guys they are)

Hope people find this informative.....

128
Marco
Re: XOOPS 2.0.10
  • 2005/2/9 19:58

  • Marco

  • Home away from home

  • Posts: 1256

  • Since: 2004/3/15


PHP Security Consortium is born
----> you will find their first publication The PHP Security Guide (free download)
perhaps a way to increase our security knowledge ?
http://phpsec.org/
just my 2cnt...
bye
marco

129
ackbarr
Re: XOOPS 2.0.10

I read this last week, and found it to be a very good primer on 'thinking secure' in development.

130
DonXoop
Re: XOOPS 2.0.10

Don't forget to push module developers to think secure too. 3rd party mods are the weakest links.

So Protector is making it into the core. Hopefully with more docs and much easier maintenance. Example is if you enable it without thinking you just might end up with hundreds of pages of "violations" that might actually be your own users doing normal things. Tedious trying to filter the real violations from normal and then trying to delete the logs. Enable a mod like chat and you'll instantly get violations. And those violations all appear as anonymous even with the users logged in. Disabling the Protector block for registered users doesn't help, I guess it is the mainfile.php pre/postcheck lines.

good luck folks.

Login

Who's Online

329 user(s) are online (271 user(s) are browsing Support Forums)


Members: 0


Guests: 329


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits