11
vaughan
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 9:10

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

xguide wrote:
Mr. JAVesey,
You do not understand the problem. Your ignorance it is not your fault. But you can look at those which make worse, there is no merit, but try to look those which do better you will learn and look more intelligent.
Users need alert message to secure their XOOPS sites.
You should know GPL it is not good for business. Please learn before reply. If many users post about security problems it is not good for project but it is interest to capitalize knowledge with adds.

I tell you for free about XOOPS security problems. Last week we discuss about lack of security layer of XOOPS and different developers code have made the core a patchwork. It was demonstrated here how easy it is to hack xoops.org site accounts and user data.

Information was send to moderators and core member. But i do not have any obligation to contribute or to code. I do audit to client to move to new cms. It was politest to comment and advise members of this project about security problems they already know they need to code new core.
It is important to remember members to update modules and server software. Because xoops.org repository it is not up to date. And the XOOPS distributed package is not secure because its core only provide a simple token system. Users need extra protection. They need at minimum a module like Protector but this module do not come with XOOPS package.

Good Luck.


the demonstration of XOOPS insecurity was over 2 years ago!! again xguide? put up or shut up.

as for token system? now i understand you more. and i'll just say this, go use your beloved XOOPS Cube system and leave us alone on xoops.org.. you obviously know absolutely nothing other than what someone is telling you, or that you are reading posts that are years old.

i'll even go as far as to say that XOOPS Cube has a token system, but that doesn't make it secure, in fact XOOPS Cube was hacked over a year ago with that so called TOKEN system in place if i'm not mistaken.

if you do not know about php coding and security issues yourself, then stop spouting off that this is insecure when you have absolutely no idea what is secure and what isn't.

it's strange when we ban a person, and suddenly once that person is banned, you suddenly appear frequently posting 2nd/3rd hand information that you yourself know nothin about.

12
davidl2
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 9:55

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


As several posters have said, keeping core and modules up-to-date is one of the best things people can do.

If Protector was included with XOOPS as an "essential module" - which I don't think will happen, as we're trying to move from bundled modules - then I would also suggest that XoopsInfo is also included... as it would allow users to check at a glance for updated module versions.

When the demo site, that I've been helping my cleverer and talented colleague with (when I've not been too ill or tired!) is finished - I've been looking at doing a couple of module sets ... together with community help - and I certainly would like to include both of these two modules in as a recommended couple for new and experienced users.

13
Catzwolf
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 13:18

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Xguiude,

Since no one official from XOOPS (i.e developers have attempted to answer these questions I will).

You are off on a tangent regarding something that either you clearly have not read correctly or you do not fully understand.

I visited the site you mentioned in another post and read over the security issues (I believe you are still going on about) and the ISSUES are not about the XOOPS core, they are in fact regarding modules used on this site. i.e: A modified version of WF-Downloads that I wrote and not about the ACTUAL CORE itself.

Now is XOOPS Secure? As secure as it will ever be until another little script kiddie comes along with some script that a hacker as written to exploit area's of code that are not secure or badly written. Now, even people with years of programming knowledge can write scripts thinking they are safe until someone proves otherwise. In all honesty, no SCRIPT is 100% hacker proof and maybe never will be with regards to coding.

The Token system? lol XOOPS and XOOPS Cube both use this system and does that make them both hacker proof? All the token system does is to make sure that the information comes from the form it was intended to come from. Any hacker with a little bit of knowledge can work around this. This sort of mechanics should be employed by the programmer and not the system and this is where most CMS fail.

In all honesty, the problem is not the core but the modules that fall flat (and even i have fallen short there) when it comes to the security of your website. As I said before, the internet does not stand still, standards change and move on and when this happens, code that is not maintained will them become susceptible to exploits.

The problem with XOOPS is that it relies on 3rd party developers for content and this means relying on 3rd party developers to keep their scripts up to date and working. If a developer stops maintaining their script and someone takes over development then all fair and well, but that doesn’t always happen. Without standards, guidelines and giving 3rd party developers more tools to use in the aid of developing their modules, this will always happen.

Don’t blame the core for these issues right now. XOOPS is as secure as any other CMS and maybe even safer. You need to start pointing the finger else where now.

14
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 13:32

  • Anonymous

  • Posts: 0

  • Since:


Quote:
John_N wrote:

Xguiude,

You need to start pointing the finger else where now.


That's not going to happen as it looks like xguide has an agenda......

I see no harm in discussing site security as it helps keep it to the forefront of users' minds, which can only be a good thing.

However, I do have a problem with people like xguide who populate forums with misleading posts about a system being insecure. This not only plays on the minds of current users but will also put off potential new users, diverting them to other CMS systems which may well be less secure than xoops.

And then Google and other search engines start indexing the posts and thus a myth begins to perpetuate. Maybe we should all register at XOOPS Cube and other sytems' homesites and, in the interests of fairness and equality, do likewise?

15
Catzwolf
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 13:51

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Actually I don't have issues with people like XGuide doing what he is doing. If there are security issues then they should be brought to the attention of the XOOPS Core team?, Module developers and Community. Even if he is a little misguided in his approach to what is actually core and is actually a module.

However, you are right about everything else in the sense of existing and new users. It doesn't look good when you start seeing all of this and no one official to come in and actually rebuff these claims and help stem the tide that is starting to grow about this. This should have been dealt with in the correct manner to help elevate the growing fears and not let the confidence that people have start to fall.

16
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 15:29

  • Anonymous

  • Posts: 0

  • Since:


Quote:
John_N wrote:

It doesn't look good when you start seeing all of this and no one official to come in and actually rebuff these claims and help stem the tide that is starting to grow about this.


But enough "people in the know" have said as much but xguide seems not to listen.

Quote:
John_N wrote:

This should have been dealt with in the correct manner.......


...yes, but by both sides.

17
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 18:01

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


PM: davidl2 Re: Security 2007/3/27
PM: phppp authentication layer 2007/3/31

"Information was send to moderators and core member. But i do not have any obligation to contribute or to code. I do audit to client to move to new cms. It was politest to comment and advise members of this project about security problems they already know they need to code new core."

The core was hacked 10 days ago, not the modules. You do stupid comments because XOOPS it is not your business product but an open source project and with your attitude professionals do not come to help you. Again you do not know what you are talking about, read XOOPS code and say there is not token. My clients are moving from xoops, XOOPS 2.0.16, 2.2, xoopscube, joomla and drupal to java cms.
It is business professional choice. I do a polite comment to XOOPS users because they need at minimum a module like protector it is not part of the core. But only stupid people reply useless to show ignorance! I do not use any xoops.

Good Luck.

18
davidl2
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 18:18

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


The core has not been hacked.

As John_N has pointed out - the issue listed was for a module called "Core"

I asked for additional information, and no information was sent by yourself.

I think that answers all the questions.

In the meantime, core developers and module developers have looked into issues - as they do as part of their own development work ... I'm sure if they think it is warranted, the Core team will address any issues when they feel it is required.

Module developers have already fixed the majority of known issues.. although obviously users have to take some responsibility by ensuring they update regularly and take the standard rudimentary pieces of security which are offered to them (ie - updating modules, checking permissions and ensuring security modules such as Protector are used)

If you want a totally 100% secure way of presenting information.. .let me suggest a wonderful device... it's called PEN and PAPER.

ALL ways of processing information have possible issues with security or abuse. Webservers can be hacked, file permissions can be set incorrectly, databases can crash, servers can suffer DOS attacks, the Earth can be swallowed by the Ravenous Bugblatter Beast of Traal... NOTHING IS CERTAIN.

19
skenow
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 18:22

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Apache has mod_security, XOOPS has Protector,
Windows has security add-ons, Linux has security add-ons.

Thanks for the 'useful' information, xguide.

20
Catzwolf
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 18:28

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Let’s get one thing straight:

1. Am not stupid, and I dislike people feel the need to talk to people in this manner. If you wish to be heard and respected then I suggest you act in a more professional manner.

2. You think you are the only person who has a business relationship with Xoops? Think again, I have been using XOOPS in a business capacity since it was more or less released.

I have written more modules than I care to mention for Xoops, either as an open source product or companies who business depends on Xoops. So don't try to dictate to me on this or call me stupid just because you think you are not getting your point over.

Now I applaud you for trying to help and with something that benefits the whole community but your continued acts come across more as anger than trying to help.

As I said, I saw no reference to the core in the site you referenced the other day, maybe I shall look again and be 100% sure.

Quote:
You do stupid comments because XOOPS it is not your business product but an open source project and with your attitude professionals do not come to help you. Again you do not know what you are talking about, read XOOPS code and say there is not token


Ok, try looking in the file 'root/class/xoopssecurity.php' and try looking through most of the code for references to this 'class' and you tell me that there is 'no' Tokens in Xoops. And, if that doesn't convince you, go Ask Ono and tell him that Catzwolf told you to go ask him and see what he says on this.

oh yeah, and see this link in this very forum....

Quote:

Now, you are more than welcome to choose any CMS you wish, or even go and write one that does what you want. And I suggest you could start to conduct yourself in a polite professional business like manner while talking to people in this forum or any other one for that matter.

Login

Who's Online

404 user(s) are online (287 user(s) are browsing Support Forums)


Members: 0


Guests: 404


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits