Re: Xoops and Modules Vulnerabilities [Quality Assurance]

1

Xoops and Modules Vulnerabilities

2007/4/4 16:18
xguide
Just popping in
Posts: 43
Since: 2005/5/11

Programmers are busy with code and moderators with support.
Users can visit frequently the security site:

here

Users can report to developers security problems.
It is easy way to contribute.

Good Luck.

2

Re: Xoops and Modules Vulnerabilities

2007/4/4 16:55
davidl2
XOOPS is my life!
Posts: 4843
Since: 2003/5/26

Thank you for the information. We're pleased to notice that many of these issues are actually very old ones which have been fixed in newer releases of modules or have been reported previously.

I also notice that the Core issues mentioned seem to relate to older versions of the Core - which emphasises the need for updates.

(PS: I changed your link slightly, as it was rather wide...)

3

Re: Xoops and Modules Vulnerabilities

2007/4/4 17:46
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

also protector module stops practically most of the exploits you keep mentioning.

do you know ajann btw

4

Re: Xoops and Modules Vulnerabilities

2007/4/6 6:21
xguide
Just popping in
Posts: 43
Since: 2005/5/11

Do you know a programming language and you think Ajann contribution is not good to secure xoops? Users do not need alert and you think it is better to see victims of hacks on the forums?

Read a good article with good decision to do with futur XOOPS development.

"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report.

"Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."

"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.

oice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.

"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.

http://www.securityfocus.com/news/11456

5

Re: Xoops and Modules Vulnerabilities

2007/4/6 7:15
MadFish
Friend of XOOPS
Posts: 1056
Since: 2003/9/27

There are a couple of interesting podcasts on cross site scripting at Security Now1, including a discussion of distributed vulnerability scanning.

(If you listen to #85 you can skip the first 20 mins or so).

hhttps://xoops.org

6

Re: Xoops and Modules Vulnerabilities

2007/4/6 7:20
Anonymous
Posts: 0
Since:

Quote:

xguide wrote:

.....you think it is better to see victims of hacks on the forums?

What an incredibly stupid thing to post.

7

Re: Xoops and Modules Vulnerabilities

2007/4/6 10:27
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

Quote:

xguide wrote:
Do you know a programming language and you think Ajann contribution is not good to secure xoops? Users do not need alert and you think it is better to see victims of hacks on the forums?

Read a good article with good decision to do with futur XOOPS development.

"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report.

"Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."

"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.

oice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.

"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.

http://www.securityfocus.com/news/11456

thankyou for that insight, but that's not what i asked and not what i even commented on.

i asked if you knew him? and 2ndly i said that protector module will stop practically most of the exploits that you brought up in that security focus.

i neither disputed the fact that they were there, neither did i dispute the fact that someone finding exploits is a bad thing. indeed i agree with you, please read what is said properly before assuming i mean something completely different to what i asked. i never said that ajann finding those exploits is a bad contribution to programming. i simply asked if you knew him!! what that has to do with what you replied with i don't know.

8

Re: Xoops and Modules Vulnerabilities

2007/4/6 10:45
Anonymous
Posts: 0
Since:

Quote:

vaughan wrote:

i said that protector module will stop practically most of the exploits that you brought up in that security focus.

xguide was also told that the reports relate to old and subsequently updated modules yet still goes on and on and on and on..............

@xguide
If you don't read posts or don't understand what is said in them, are so concerned about security and think that the XOOPS core and the current modules are vulnerable then why not use a different CMS and see how you get on with it?

Much better than your continuing to post outdated drivel on here and taking other users time to correct your misunderstandings and inaccuracies.

9

Re: Xoops and Modules Vulnerabilities

2007/4/7 6:11
xguide
Just popping in
Posts: 43
Since: 2005/5/11

Quote:

JAVesey wrote:
Quote:
vaughan wrote:

i said that protector module will stop practically most of the exploits that you brought up in that security focus.

xguide was also told that the reports relate to old and subsequently updated modules yet still goes on and on and on and on..............

@xguide
If you don't read posts or don't understand what is said in them, are so concerned about security and think that the XOOPS core and the current modules are vulnerable then why not use a different CMS and see how you get on with it?

Much better than your continuing to post outdated drivel on here and taking other users time to correct your misunderstandings and inaccuracies.

Mr. JAVesey,
You do not understand the problem. Your ignorance it is not your fault. But you can look at those which make worse, there is no merit, but try to look those which do better you will learn and look more intelligent.
Users need alert message to secure their XOOPS sites.
You should know GPL it is not good for business. Please learn before reply. If many users post about security problems it is not good for project but it is interest to capitalize knowledge with adds.
I tell you for free about XOOPS security problems. Last week we discuss about lack of security layer of XOOPS and different developers code have made the core a patchwork. It was demonstrated here how easy it is to hack xoops.org site accounts and user data.
Information was send to moderators and core member. But i do not have any obligation to contribute or to code. I do audit to client to move to new cms. It was politest to comment and advise members of this project about security problems they already know they need to code new core.
It is important to remember members to update modules and server software. Because xoops.org repository it is not up to date. And the XOOPS distributed package is not secure because its core only provide a simple token system. Users need extra protection. They need at minimum a module like Protector but this module do not come with XOOPS package.

Good Luck.

10

Re: Xoops and Modules Vulnerabilities

2007/4/7 6:48
Anonymous
Posts: 0
Since:

Quote:

xguide wrote:

It is important to remember members to update modules and server software. Because xoops.org repository it is not up to date. And the XOOPS distributed package is not secure because its core only provide a simple token system. Users need extra protection. They need at minimum a module like Protector but this module do not come with XOOPS package.

On that much we can agree.

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Re: Xoops and Modules Vulnerabilities

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}