Hi all, I would like to say something IMHO important about XOOPS maintaining and upgrading.

I have different sites running since some years, they are visited and the communities are active, but happened that my sites were hacked more times (even keeping the codes upgraded).

Each time I had to fix everything and search blindly on the web for other similar problems, take 1 by 1 each module and go to different home pages (many times not existing anymore) not being able to have a clear image of the situation, searching here and there, loosing time etc.

Would be nice and very useful to have a clear/simple section, on this XOOPS website, similar to this one: http://secunia.com/search/?search=xoops with a complete list of the known vulnerabilities, sorted by module name, and where to download bug fixes or patches.

Right now my site has been hacked another time by turkish hacker, it was updated to the last version, with Protector installed, they messed up completely the forum, ecal calendar module and wf-section, also (i don't know how they did) many permissions on the web hosting were messed up.

But I have several other modules installed, but I have no idea where to go or check if I still have vulnerabilities on my sites.

Is it possible to create and maintain a detailed section of the known bugs and vulnerabilities of the various modules? Without going to search to 100 places with half of the expired or not existing...

What do you think about that?

PS: Sorry for my not good english.

Quote:

No problem documenting known bugs other than the fact that there's an awful lot of modules and it might be an administrative nightmare, but my personal view is that it might not be wise to catalogue known vulnerabilities until after they have been patched and modules updated. Why give these dratted spammers and hackers the information that they need? Yes, I know that some information is available elsewhere but much of that doesn't relate to current modules and code.

It's better for the developers to update to the code and then tell us what's been done, I feel. But this is very much MHO, of course.

An up-to date module repository would be the Eutopian ideal

I suspect that what you ask for with regard to an up-to-date repository of current modules is one of the goals of those working behind the scenes here on xoops.org.

Quote:

Your English is very good

Making summary information about XOOPS vulnerabilities will definitely help hackers, but I am not so sure it will make webmasters more responsible about patching their sites.

The most common factor in sites getting hacked is probably because they didn't keep up to date with security patches. Unfortunately most people do not take this seriously until they have a problem (they also don't take backups seriously until they have a problem).

WF-Sections just had a security update (see the news) (sorry I was thinking of something else). If you post a list of the modules you are using people will probably be able to give you some advice on whether there are known problems.

Generally speaking it is best to stick to modules that are actively supported and widely used. Avoid experimental modules on production sites. The only real defence is to make sure you have an up to date backup. If you don't have a backup, you don't have a site - what you have is an train wreck waiting to happen.

arrakis, currently there is no good solution.
You have to keep eyes on websites of your module developers, just like how you watch xoops.org or sf.net/projects/xoops for new releases of XOOPS

Apart from this point, concerning those modules reported as vulnerable, most had already been retired, some already had new updates PRIOR TO those reports. It's hard to guess his purposes of making such reports.

Quote:

Some may even suspect an ulterior motive...

I think temporarily removing modules with known vulnerabilities from the module repository is a good idea (just until they are fixed).

I don't know if there a way to kick people into patching their sites. Have to learn the hard way.

The Turkish hacker also got about 6 of my sites and they were not all just Xoops. He exploits the cache somehow and uses the admin.menu to alter a lot of things. You have to leave the cache chmodded at 777 or else it will not let you log in as admin. Every site he hacked on XOOPS his altered admin.menu had to be erased before you can get back in to admin. He also tries to exploit the faq and then get into the cache.