1
xguide
Xoops and Modules Vulnerabilities
  • 2007/4/4 16:18

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Programmers are busy with code and moderators with support.
Users can visit frequently the security site:

here

Users can report to developers security problems.
It is easy way to contribute.

Good Luck.

2
davidl2
Re: Xoops and Modules Vulnerabilities
  • 2007/4/4 16:55

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Thank you for the information. We're pleased to notice that many of these issues are actually very old ones which have been fixed in newer releases of modules or have been reported previously.

I also notice that the Core issues mentioned seem to relate to older versions of the Core - which emphasises the need for updates.

(PS: I changed your link slightly, as it was rather wide...)

3
vaughan
Re: Xoops and Modules Vulnerabilities
  • 2007/4/4 17:46

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


also protector module stops practically most of the exploits you keep mentioning.

do you know ajann btw

4
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/6 6:21

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Do you know a programming language and you think Ajann contribution is not good to secure xoops? Users do not need alert and you think it is better to see victims of hacks on the forums?

Read a good article with good decision to do with futur XOOPS development.

"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report.

"Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."

"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.

oice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.

"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.

http://www.securityfocus.com/news/11456

5
MadFish
Re: Xoops and Modules Vulnerabilities
  • 2007/4/6 7:15

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


There are a couple of interesting podcasts on cross site scripting at Security Now1, including a discussion of distributed vulnerability scanning.

(If you listen to #85 you can skip the first 20 mins or so).

6
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/6 7:20

  • Anonymous

  • Posts: 0

  • Since:


Quote:
xguide wrote:

.....you think it is better to see victims of hacks on the forums?


What an incredibly stupid thing to post.

7
vaughan
Re: Xoops and Modules Vulnerabilities
  • 2007/4/6 10:27

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

xguide wrote:
Do you know a programming language and you think Ajann contribution is not good to secure xoops? Users do not need alert and you think it is better to see victims of hacks on the forums?

Read a good article with good decision to do with futur XOOPS development.

"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report.

"Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."

"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.

oice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.

"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.

http://www.securityfocus.com/news/11456


thankyou for that insight, but that's not what i asked and not what i even commented on.

i asked if you knew him? and 2ndly i said that protector module will stop practically most of the exploits that you brought up in that security focus.

i neither disputed the fact that they were there, neither did i dispute the fact that someone finding exploits is a bad thing. indeed i agree with you, please read what is said properly before assuming i mean something completely different to what i asked. i never said that ajann finding those exploits is a bad contribution to programming. i simply asked if you knew him!! what that has to do with what you replied with i don't know.

8
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/6 10:45

  • Anonymous

  • Posts: 0

  • Since:


Quote:
vaughan wrote:

i said that protector module will stop practically most of the exploits that you brought up in that security focus.


xguide was also told that the reports relate to old and subsequently updated modules yet still goes on and on and on and on..............

@xguide
If you don't read posts or don't understand what is said in them, are so concerned about security and think that the XOOPS core and the current modules are vulnerable then why not use a different CMS and see how you get on with it?

Much better than your continuing to post outdated drivel on here and taking other users time to correct your misunderstandings and inaccuracies.

9
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 6:11

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Quote:

JAVesey wrote:
Quote:
vaughan wrote:

i said that protector module will stop practically most of the exploits that you brought up in that security focus.


xguide was also told that the reports relate to old and subsequently updated modules yet still goes on and on and on and on..............

@xguide
If you don't read posts or don't understand what is said in them, are so concerned about security and think that the XOOPS core and the current modules are vulnerable then why not use a different CMS and see how you get on with it?

Much better than your continuing to post outdated drivel on here and taking other users time to correct your misunderstandings and inaccuracies.


Mr. JAVesey,
You do not understand the problem. Your ignorance it is not your fault. But you can look at those which make worse, there is no merit, but try to look those which do better you will learn and look more intelligent.
Users need alert message to secure their XOOPS sites.
You should know GPL it is not good for business. Please learn before reply. If many users post about security problems it is not good for project but it is interest to capitalize knowledge with adds.
I tell you for free about XOOPS security problems. Last week we discuss about lack of security layer of XOOPS and different developers code have made the core a patchwork. It was demonstrated here how easy it is to hack xoops.org site accounts and user data.
Information was send to moderators and core member. But i do not have any obligation to contribute or to code. I do audit to client to move to new cms. It was politest to comment and advise members of this project about security problems they already know they need to code new core.
It is important to remember members to update modules and server software. Because xoops.org repository it is not up to date. And the XOOPS distributed package is not secure because its core only provide a simple token system. Users need extra protection. They need at minimum a module like Protector but this module do not come with XOOPS package.

Good Luck.

10
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 6:48

  • Anonymous

  • Posts: 0

  • Since:


Quote:
xguide wrote:

It is important to remember members to update modules and server software. Because xoops.org repository it is not up to date. And the XOOPS distributed package is not secure because its core only provide a simple token system. Users need extra protection. They need at minimum a module like Protector but this module do not come with XOOPS package.


On that much we can agree.

Login

Who's Online

180 user(s) are online (97 user(s) are browsing Support Forums)


Members: 0


Guests: 180


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits