11
Anonymous
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/12 9:30

  • Anonymous

  • Posts: 0

  • Since:


Interesting chat, guys.

Thank you, Vaughan, for thinking of XOOPS users. Thank you, Wishcraft, for updating the module so quickly.

Please can you both remember to keep your posts civil and polite in future? There's no place on here for personal abuse. If there's any doubt as to what is acceptable, please see this.

Also, there's no place on here for a public inter-project dispute. Both projects have a lot in common (obviously!) and users from on here have been treated curteously when posting over on impresscms.org; I expect the same standards on here when impresscms.org members and devs post.

Thank you both

John V
Forum Moderator

12
giba
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/12 9:47

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Hi wishcraft, Vaughan, JAVesey and all xoopers.

The issue here is advise the developer on the problem and this is completely ignored.

It is a pity that in my paiz not have a person who honestly tell me about a security point where is the problem and proposing a solution.

This is independent of cms being used. But there is a real difference in this aboradagem, verification of entry and verification of removal.

In this case, the module allows the failure to inject the malicious code, that is a fact and is proven.

The developer corrects this problem very quickly. But this does not guarantee that will be safe. The reason is the output of data. The hacker has prevented at the time the module has failed to deploy another code to extract data and using a javascript common?

The answer to this is the way to check the output of data. At this point there is a differential in favour of XOOPS Cube and XOOPS and impresscms are still vulnerable.

What I am talking here is based on our experience in suffering with this type of problem, because we already know of some practices used by crakers and idiots who insist on trying misrepresenting the house outside.

13
Anonymous
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/12 11:00

  • Anonymous

  • Posts: 0

  • Since:


Thank you Giba.

Quote:
Giba wrote:

At this point there is a differential in favour of XOOPS Cube and XOOPS and impresscms are still vulnerable.


This is why it is important that relations between the projects remain civil and cordial; we can all learn from one another to our collective mutual benefit.

Egos and personal disputes should be set aside.

14
xgarb
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/15 14:55

  • xgarb

  • Not too shy to talk

  • Posts: 154

  • Since: 2003/3/30


Thanks Vaughan for sticking with that explanation to the end.

Wishcraft - Thanks for the work you're doing for XOOPS but you really need to keep an open mind when it comes to web server security and potential problems - exploits are rarely obvious these days.

I'm working my way through this book at the moment.. it's well reviewed... http://www.oreilly.com/catalog/phpsec/

Login

Who's Online

342 user(s) are online (220 user(s) are browsing Support Forums)


Members: 0


Guests: 342


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits