11
Jan304
Re: Aston Themes Hacked ?
  • 2005/7/11 16:19

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


A lot of people use XOOPS without actually checking the XOOPS.org site daily. Those people still don't know about the update (if you check mainsite, you see nothing that actually says you might have to upgrade)...

Why not a mass mailing to all members (as done before), but this time without the mass of returns to all members .

Grtz, Jan
Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the vase.
Neo: What vase?
[Neo turns to look for a vase, and as he does, he knocks over a vase of flowers, which shatters on the floor.]
Oracle: That vase.
Neo:...

12
m0nty
Re: Aston Themes Hacked ?
  • 2005/7/11 16:46

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


now u know why i claimed autologins to be not 100% secure, and that an exception oughta be included in it to stop admins being able to use autologin at all.

13
JimLunsford
Re: Aston Themes Hacked ?

I don't understand why people don't come here to check for updates at least once a week.

14
bluenova
Re: Aston Themes Hacked ?

Don't even need to check xoops.org, all the XOOPS news is available from every XOOPS admin area on the world wide web

15
Duane
Re: Aston Themes Hacked ?
  • 2005/7/11 17:42

  • Duane

  • Just popping in

  • Posts: 23

  • Since: 2004/7/20


I use RSS feeds to keep informed.

16
Jan304
Re: Aston Themes Hacked ?
  • 2005/7/11 17:54

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


Quote:

m0nty wrote:
now u know why i claimed autologins to be not 100% secure, and that an exception oughta be included in it to stop admins being able to use autologin at all.


Sorry, I think that what you are saying is (partly) incorrect. Mith is _not_ saying that autologin is insecure (it might, but he is not telling it) but that the combination of the hole in the XML-RPC interface, wich will result in being able to obtain the md5 hash of your password, and the autologin hack will make your XOOPS installation insecure...

And since autologin hacks mostly (if not all) safe the hash of your password and username in a cookie, the hackers will be able to login by simply modifying a cookie.

Correct me if I'm wrong.
Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the vase.
Neo: What vase?
[Neo turns to look for a vase, and as he does, he knocks over a vase of flowers, which shatters on the floor.]
Oracle: That vase.
Neo:...

17
Mithrandir
Re: Aston Themes Hacked ?

Correct. I am not saying that autologin in itself is insecure (especially not GIJOE's which I think is the best available) but it is vulnerable to holes elsewhere.

It's like having a wall. Then you put in a door there for easy access - but not even the strongest door will prevent someone with the key from entering. And if the key is kept in a cupboard which is not as strong as the door, you've not gained much from reinforcing the door.

You _could_ say that it is an argument for not using autologin - and it is certainly an argument for not allowing admins to use autologins.

A chain is only as strong as the weakest link - and XOOPS is a mightily big chain with lots of links...
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

18
m0nty
Re: Aston Themes Hacked ?
  • 2005/7/11 20:20

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


very well put mith :)

19
Rhomal
Re: Aston Themes Hacked ?
  • 2005/7/11 20:47

  • Rhomal

  • Quite a regular

  • Posts: 274

  • Since: 2004/10/5


Forgive my ignorance but what is the 'auto login' you are talking about. I use my browsers ability to store login/pw to my (and others) site. Thus all I need to go when I go to my site it hit the submit button in the login block.

Perhaps I am missing something...

20
pegasus00321
Re: Aston Themes Hacked ?

This is some scary stuff

I think he had like 2.0.93 or something like that.
Pegasus00321


I would appricate it if you click this link
TuFat.com PHP Scripts and etc

Login

Who's Online

414 user(s) are online (311 user(s) are browsing Support Forums)


Members: 0


Guests: 414


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits