Re: Aston Themes Hacked ? [XOOPS.org Members Lounge]

11

Re: Aston Themes Hacked ?

2005/7/11 16:19
Jan304
Official Support Member
Posts: 520
Since: 2002/3/31

A lot of people use XOOPS without actually checking the XOOPS.org site daily. Those people still don't know about the update (if you check mainsite, you see nothing that actually says you might have to upgrade)...

Why not a mass mailing to all members (as done before), but this time without the mass of returns to all members

.

Grtz, Jan

Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the vase.
Neo: What vase?
[Neo turns to look for a vase, and as he does, he knocks over a vase of flowers, which shatters on the floor.]
Oracle: That vase.
Neo:...

12

Re: Aston Themes Hacked ?

2005/7/11 16:46
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

now u know why i claimed autologins to be not 100% secure, and that an exception oughta be included in it to stop admins being able to use autologin at all.

13

Re: Aston Themes Hacked ?

2005/7/11 17:11
JimLunsford
Not too shy to talk
Posts: 191
Since: 2004/10/26

I don't understand why people don't come here to check for updates at least once a week.

14

Re: Aston Themes Hacked ?

2005/7/11 17:27
bluenova
Posts: 1022
Since: 2004/4/10

Don't even need to check xoops.org, all the XOOPS news is available from every XOOPS admin area on the world wide web

15

Re: Aston Themes Hacked ?

2005/7/11 17:42
Duane
Just popping in
Posts: 23
Since: 2004/7/20

I use RSS feeds to keep informed.

16

Re: Aston Themes Hacked ?

2005/7/11 17:54
Jan304
Official Support Member
Posts: 520
Since: 2002/3/31

Quote:

m0nty wrote:
now u know why i claimed autologins to be not 100% secure, and that an exception oughta be included in it to stop admins being able to use autologin at all.

Sorry, I think that what you are saying is (partly) incorrect. Mith is _not_ saying that autologin is insecure (it might, but he is not telling it) but that the combination of the hole in the XML-RPC interface, wich will result in being able to obtain the md5 hash of your password, and the autologin hack will make your XOOPS installation insecure...

And since autologin hacks mostly (if not all) safe the hash of your password and username in a cookie, the hackers will be able to login by simply modifying a cookie.

Correct me if I'm wrong.

Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the vase.
Neo: What vase?
[Neo turns to look for a vase, and as he does, he knocks over a vase of flowers, which shatters on the floor.]
Oracle: That vase.
Neo:...

17

Re: Aston Themes Hacked ?

2005/7/11 20:13
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

Correct. I am not saying that autologin in itself is insecure (especially not GIJOE's which I think is the best available) but it is vulnerable to holes elsewhere.

It's like having a wall. Then you put in a door there for easy access - but not even the strongest door will prevent someone with the key from entering. And if the key is kept in a cupboard which is not as strong as the door, you've not gained much from reinforcing the door.

You _could_ say that it is an argument for not using autologin - and it is certainly an argument for not allowing admins to use autologins.

A chain is only as strong as the weakest link - and XOOPS is a mightily big chain with lots of links...

"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

18

Re: Aston Themes Hacked ?

2005/7/11 20:20
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

very well put mith :)

19

Re: Aston Themes Hacked ?

2005/7/11 20:47
Rhomal
Quite a regular
Posts: 274
Since: 2004/10/5

Forgive my ignorance but what is the 'auto login' you are talking about. I use my browsers ability to store login/pw to my (and others) site. Thus all I need to go when I go to my site it hit the submit button in the login block.

Perhaps I am missing something...

20

Re: Aston Themes Hacked ?

2005/7/11 21:32
pegasus00321
Quite a regular
Posts: 339
Since: 2005/4/29

This is some scary stuff

I think he had like 2.0.93 or something like that.

Pegasus00321

I would appricate it if you click this link
TuFat.com PHP Scripts and etc

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Re: Aston Themes Hacked ?

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}