11
frankblack
Re: Exploit on xoops 2.3.3
  • 2009/6/23 7:17

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


Quote:
"Bug" is in protector, not core. Actually, It is not a bug because protector is not meant to be in public directory. If you show this as a "bug" to GIJOE he will laugh at your face.


Seems to be that some people have problems with my attitude or my opinions? I can cope with that. Protector not being part of the core, but shipped with the distribution. Hmm, so Protector is nearly core or half core or optional? Who maintains the module? GIJOE himself? Doubt that.

Protector is not meant to be in public directory? Go tell the people who have no choice. Don't come now with the argument to get a better hoster.

Just my 2 euro cents...

12
ghia
Re: Exploit on xoops 2.3.3
  • 2009/6/23 7:59

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Hmm, so Protector is nearly core or half core or optional? Who maintains the module? GIJOE himself? Doubt that.
Protector is a module of GIJoe and he maintains it.
The module is not part of the XOOPS core or necessary to have for operating XOOPS. But its a bad world outside on the internet and Protector offers some valuable functions to harden your site against several attack types. Its like a safety belt in your car: not needed to drive, but somehow indispensable.

Quote:
Protector is not meant to be in public directory? Go tell the people who have no choice. Don't come now with the argument to get a better hoster.
You have always the choice of a better hoster!

Protector is designed to get the additional security by placing the most of the source code outside the document root. If you install it otherwise it will doing more harm then good (When you wear the car belt not in the proper manner, you could get strangled.)
For the people who have the Protector module in the document root (xoops_lib and xoops_data), they should at least rename them with a prefix. Further protection can be made by .htaccess files.

But having a place outside the document root is what qualitative PHP hosters distinguish from HTML hosters, yet being still very affordable.

13
trabis
Re: Exploit on xoops 2.3.3
  • 2009/6/23 21:23

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


I addressed this issue in SVN (look on XoopsModules). I've added a registry class and deprecated the use of globals. $mydirname, $mydirpath, $xoopsConfig['language'] are now stored and delivered by this class. Direct file access to this private files will cause an exit. preg_replace() is not needed now. We hope to deliver 2.3.4 in less than 2 weeks.

@Frank: You should not cross your arms and blame others. If you care that much then step on and help us. You're welcome.

Login

Who's Online

166 user(s) are online (118 user(s) are browsing Support Forums)


Members: 0


Guests: 166


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits