1
Kiwi_Chris
Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 10:42

  • Kiwi_Chris

  • Just popping in

  • Posts: 79

  • Since: 2009/1/3 2


Hi a friend of mine made comment that my site may have security holes
and suggested I read up about google XSS hole.

It makes for interesting reading.

I just thought I would ask XOOPS Experts, do you think the XOOPS CMS is at risk.

Or what measures should I take to protect my site and my users?

Your help is much appreciated.

Thank you.

2
Mamba
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 11:08

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


This is a good guide to making your site more secure
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

3
Kiwi_Chris
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 11:45

  • Kiwi_Chris

  • Just popping in

  • Posts: 79

  • Since: 2009/1/3 2


Thank you for this link, I have read and I think most of that is already done on my site,

I moved data and lib to home directory as apposed to temp folder, and manfile is 444,

this is what XOOPS system overview says



* XOOPS Version: XOOPS 2.3.3
* PHP Version: 5.2.9
* MySQL Version: 5.0.67-community
* Server API Version: cgi-fcgi
* OS Version: Linux
* safe_mode: Off
* register_globals: Off
* magic_quotes_gpc: On
* allow_url_fopen: Off
* fsockopen: On
* allow_call_time_pass_reference: On
* post_max_size: 130M
* max_input_time: 60
* output_buffering:
* max_execution_time: 60
* memory_limit: 64M
* file_uploads: On
* upload_max_filesize: 130M

Does this mean I am now protected against Cross-site scripting (XSS)?


In Protector it says

'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.

'register_globals' : off ok

'allow_url_fopen' : off ok

'session.use_trans_sid' : off ok

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.

---------------------------

Obviously I am a noob with this,

I am afraid to change the XOOPS database prefix as the site is already running.
I can't find XOOPS trust path.


4
ghia
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 13:55

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
I moved data and lib to home directory as apposed to temp folder, and manfile is 444,
I think you missed the point for the trust path. It is meant to be outside the web root.

The XOOPS_TRUST_PATH is defined in your mainfile.php (as alias to xoops_lib) and should also result to outside the web root.

Quote:
'mainfile.php' : missing precheck Not secure
This has to be set for allowing Protector to operate. Last part of mainfile.php should look like this:
// Temporary solution for extra protector module. To be refactored
    // Set the following value as true if you want to enable protector module
    
$ENABLE_PROTECTOR true;

    if ( !empty(
$ENABLE_PROTECTOR) ) {
        @include 
XOOPS_TRUST_PATH '/modules/protector/include/precheck.inc.php';
    }
    if (!isset(
$xoopsOption["nocommon"]) && XOOPS_ROOT_PATH != "") {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
    if ( !empty(
$ENABLE_PROTECTOR) ) {
        @include 
XOOPS_TRUST_PATH '/modules/protector/include/postcheck.inc.php';
    }


Check if Protector runs ok by the 2 links in the Protect center (admin protector). It should make entries in the log of Protector.

Protector offers a function to rename all tables in the database with a prefix. (Always backup before doing such major database operations!)

The risk of XSS is not a question of the XOOPS core alone, also modules may be vulnerable. There is no 100% fail safe. Checking regulary for security alerts or module updates on XOOPS.org, together with Protector and the correct install of your site will prevent a lot of problems.
Also regular analysis of access logs from Apache is a must.


5
Kiwi_Chris
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 14:58

  • Kiwi_Chris

  • Just popping in

  • Posts: 79

  • Since: 2009/1/3 2


hi, and thank you for taking all this time to support me, it is much appreciated.

I meant to say I have moved lib and data out of public_html and into my home directory below www / public access.

I will follow your other instructions, and report back if I have any issues.

I am still not confident in playing with database prefixes, but the rest should be fine.

6
Kiwi_Chris
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 15:24

  • Kiwi_Chris

  • Just popping in

  • Posts: 79

  • Since: 2009/1/3 2


Ok patched Manfile, with success,


'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.

When using the inbuilt link i get 404 which is good.

'register_globals' : off ok

'allow_url_fopen' : off ok

'session.use_trans_sid' : off ok

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

'mainfile.php' : patched ok


From by view point that's all but database sorted.
and I don't understand enough about what it is saying to play with the database,

what happens when I change the database prefix, does it change the existing ones for me?

are they updated manually through php admin?




7
ghia
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 16:24

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


AFAIK (never tried myself), Protector will make a copy of all the tables in your database with a new prefix. Then you can adapt mainfile.php to use this second set of tables. After that and when everything works ok, you can delete the original set of tables (with the XOOPS prefix).

8
Mamba
Re: Security Question [Cross-site scripting (XSS)]
  • 2009/4/3 17:54

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


Quote:
AFAIK (never tried myself), Protector will make a copy of all the tables in your database with a new prefix. Then you can adapt mainfile.php to use this second set of tables. After that and when everything works ok, you can delete the original set of tables (with the XOOPS prefix)
.
I did it couple of times, and didn't have any problems.
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

Login

Who's Online

502 user(s) are online (372 user(s) are browsing Support Forums)


Members: 0


Guests: 502


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits