11
peterr
Re: Is 2.2.3 final 'hacker proof' ?
  • 2007/4/7 11:33

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

McDonald wrote:
You also might want to update your WF-Links module.
Last week WF-Links was updated because of a security hole.


Thanks for that, good work. I see David mentioned mambo users have had similar problems.

Thanks everyone for your help. :)
NO to the Microsoft Office format as an ISO standard.
Sign the petition

12
peterr
Re: Is 2.2.3 final 'hacker proof' ?
  • 2007/4/7 11:42

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Some advice from SANS in reference to the particular issue.

They recommend ..

register_globals = Off

allow_url_fopen = Off
NO to the Microsoft Office format as an ISO standard.
Sign the petition

13
peterr
Re: Is 2.2.3 final 'hacker proof' ?
  • 2007/4/7 12:35

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


I just tried what the hacker did, by directly parsing the SQL code, and it displays the 'webmaster/admin' username, plus the (encrypted) password, ..... yikes, I'm taking both sites off the air for a few days.

Good that the XOOPS member community is well informed on these matters, thanks.

Peter
NO to the Microsoft Office format as an ISO standard.
Sign the petition

14
peterr
Re: Is 2.2.3 final 'hacker proof' ?
  • 2007/4/9 5:25

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Something I realised later, was that the username and password were only allowed to be displayed (I tried what someone else tried on my site), because I have not changed the XOOPS table prefix name.

So, when I reload the site, it will be quite different.
NO to the Microsoft Office format as an ISO standard.
Sign the petition

15
peterr
Re: Is 2.2.3 final 'hacker proof' ?
  • 2007/4/9 8:57

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Assuming someone was able to decrypt the password they got from my site, and were then able to login, what is the 'worst' they can do ?

I don't have any "file manager" type modules, only headlines, smartsection, sitemap, contact form, and will put wflinks back later.

They can't upload any php files and then execute them can they ??

Or, modify any php files ?? If they ran a phpinfo, the website then is compromised, not just XOOPS part of it, because then they have the website login.

Is it only 'blocks' that can be changed, and then only with HTML code. I don't see how any PHP code can be added or changed, that's all.

I'd like to know the potential risks, .... considering changing the site to all HTML, .. maybe !!!
NO to the Microsoft Office format as an ISO standard.
Sign the petition

16
Dave_L
Re: Is 2.2.3 final 'hacker proof' ?
  • 2007/4/9 9:17

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Custom blocks can contain PHP code. So if someone can create or edit custom blocks, he can insert his own PHP code.

17
davidl2
Re: Is 2.2.3 final hacker proof ?
  • 2007/4/9 15:20

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


2.2.5rc2 would be a better choice .. and get into a regular backup routine.

As I said in another post recently, there's no such thing as a totally secure system.. except pen and paper... so just make sure you've taken the relevent precautions.

(Some good times on a security feature at http://www.xoopsinfo.com)

18
peterr
Re: Is 2.2.3 final hacker proof ?
  • 2007/4/10 5:36

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

davidl2 wrote:
2.2.5rc2 would be a better choice .. and get into a regular backup routine.


As I'm going to redo the site from scratch, I would have thought 2.0.16 was a better choice than 2.2.5rc2, in terms of the upgrade path ?

Regular backups - the shared server is of course backed up each day, but I can do my own full backups, possibly these can be automatted as a cron job. I may look into a cron job that checks the site every day, to check if any files have been modified.

Quote:

davidl2 wrote:
As I said in another post recently, there's no such thing as a totally secure system.. except pen and paper... so just make sure you've taken the relevent precautions.


Or make the site all html maybe ? Precautions - yes, I'll be doing some things a lot differently

Quote:

davidl2 wrote:
(Some good times on a security feature at http://www.xoopsinfo.com)


Yes, I have read some of that. Surely even if mainfile.php is below/outside the web root path, some PHP code in a custom block could do a recursive 'dir' search and find the file/s though ?

Thanks !!
NO to the Microsoft Office format as an ISO standard.
Sign the petition

19
MadFish
Re: Is 2.2.3 final hacker proof ?
  • 2007/4/10 6:44

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


Quote:
Regular backups - the shared server is of course backed up each day, but I can do my own full backups, possibly these can be automatted as a cron job. I may look into a cron job that checks the site every day, to check if any files have been modified.


I suggest that you do not rely on your host's backups, but make your own *local* copy as well. It is not unheard of for a hosting company to vanish overnight, restore old backups over the top of your site, have their computers suddenly seized by the government for this or that reason, or to get hit by lightning and have their servers/backup facility totally fried and all their (your) data with it.

At least, it doesn't seem to be unusual around here

20
peterr
Re: Is 2.2.3 final hacker proof ?
  • 2007/4/10 6:57

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Yes, I have my own local copy (HDD), plus it is backed up to CD. The full backup from the host is also downloaded locally. As the site doesn't change much at all, the full backups that I have are as much as i can do, in effect, a suitable and appropriate restore point.

The host I'm with is very reliable, but I realise that doesn't mean the site might not go off the air for a day or so, it has in the past, and it is restored back to the last 'good' backup.

If no files are being changed (content wise), then the only changes at all on the website are the db and the web server logs, so I could do incremental backups of those, weekly or even daily.

Some means of extra 'monitoring' is also needed; I'm not sure what that is yet.
NO to the Microsoft Office format as an ISO standard.
Sign the petition

Login

Who's Online

318 user(s) are online (261 user(s) are browsing Support Forums)


Members: 0


Guests: 318


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits