31
wjue
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 16:56

  • wjue

  • Quite a regular

  • Posts: 315

  • Since: 2002/8/3 7


If you don't need recurring events admin, you can safely use Agenda-X v1.2.2 (even if register_globals are ON). Agenda-X beta 2 is still in beta phase, not really stable yet.

wjue


Quote:

svaha wrote:
Ok, I installed agendaX 2 Beta.
Where can I see if register_globals are of or on?

32
Brad
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 19:24

  • Brad

  • Not too shy to talk

  • Posts: 150

  • Since: 2003/12/4


Quote:
If you get "RegisterGlobalsOn" written on the screen, it is on

And when you perform this test and see that it is on, how do you go about turning them off when you're not hosting your own site?

Consider that I know very little about PHP, and thus Register Globals.

33
Mithrandir
Re: EMERGENCY: security hole of Agenda-X

Ask your host to turn off Register Globals. If you host doesn't know, what it is... then switch host

34
Dave_L
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 20:33

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Re: turning off register_globals

A hosting service might be unwilling to do that because it could break other customers' scripts.

Depending on the server, an .htaccess file with the following contents might work:

php_flag register_globals off

35
GIJOE
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 21:06

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

Jan304 wrote:
I'm suprised of this post by GIJOE. I always tought he was posting on a professional way, but this... Scaring people like hell and advicing to remove in place of fixing it. I hope not for own profit...

My Profit ?
Teach me any profit generated by that Agenda-X users is transferred to piCal.
Though I proud that piCal is far more excellent than Agenda-X as Calendar or Event Manager Module,
I never recommend piCal to such a person who thinks that Agenda-X is better.
To begin with, comparing them is meaningless.

Quote:
Did you read whole of his article?
He wrote REMOVE it as same as my article.
-------------------------
Above-mentioned modified information is not information from the module manufacturer but temporary.
Therefore, when it is not possible to correct it in the self-responsibility, we will recommend the module to be made the temporary each folder save from the module manufacturer to open to the public of a formal correspondence version in the safe place (Inaccessible place according to WEB a browser etc.).
-------------------------

Quote:
You might check the Agenda-X 2.0 beta 2 version, I don't think this version has any security flaw.

No!
2.0 beta 2 has the same sacurity hole.
Have you read the source codes ?

And the security hole of 1.2.2 or 2.0 beta 2 is found by me, not by onokazu.

I read the source and I had the conviction wjue does not have skills to be able to create modules which can be opened to the public.

The hole can be scared by only changing register_globals OFF, but I can't believe his skills any more.

Though the hole is caused by a third party module, the hole deteriorates the reputation of whole XOOPS.
In fact, the "slash dot news" wrotes the articles which the security hole of Agenda-X is misunderstood that XOOPS's security hole.
Only writing that do not use the module which has security holes and lowers the reputation of whole XOOPS might be a "PROFIT" for all.

onokazu also wrotes to the all of XOOPSers :
When you adopt a module made by the third party, you should ascertain the module enough.

36
GIJOE
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 21:32

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

wjue wrote:
I agree, scarring people in this manner is not a professional practice.

The security problem mentionned here occur only if your PHP have register_global set to ON and "remote include" also set to on, "remote include" often causing security risk is well known. The latest version (1.2.2) I released is sufficiently safe. Users of 1.2.1 version can also adopte Onokazu's simple patch.

Amazed!
Do you think 1.2.2 is sufficiently safe under register_globals ON ?

If so, I have to say again "STOP USING WJUE's WORK".

You should read onokazu's kind patch again and again, and think where 1.2.2's hole.

37
Mithrandir
Re: EMERGENCY: security hole of Agenda-X

GIJOE, I think people are mainly objecting to the very harsh and personal tone in your posts.

For those of us, who aren't able to read Japanese, could someone give some highlights as to WHY Agenda-X is vulnerable and how to prevent these holes.

I write modules, but I have NO idea, whether it is a secure one or if there are similar problems with them. Therefore, I would be very happy to get some more guidelines as to how to avoid opening security holes.

38
wjue
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/14 23:26

  • wjue

  • Quite a regular

  • Posts: 315

  • Since: 2002/8/3 7


GIJOE,

As a Chinese gentleman, I wouldn't make such comments on any body.

And I am very sorry for your lacking of Etiquette and elegance.

Regards.

wjue

Quote:

GIJOE wrote:

And the security hole of 1.2.2 or 2.0 beta 2 is found by me, not by onokazu.

I read the source and I had the conviction wjue does not have skills to be able to create modules which can be opened to the public.


39
GIJOE
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 4:20

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi wjue.

If you have free time to write such a meaningless article,
you should release 1.2.3 that is patched by Onokazu immediately.

Though I never refer your human nature like you,
you have to express gratitude to Japanese XOOPS team - Onokazu & SUM -.
(your thanks of me are unnessary.)

The most important skill for module developpers is not that he never makes holes,
but that he repairs the holes immediately when it is reported by another well skilled programmer.

40
GIJOE
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 4:45

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi Mithrandir.

I'm sorry to have unpleasant time for my articles.
But as I wrote in subject, it is an emergency security hole.
Thus I have no time to select gentle words.
(And because of my poor skills for English.)

Removing all files of the module is only way to protect all of XOOPS site.
(Though .htaccess is a good manner, all of XOOPS site is not usable this)

If register_globals on, GPCS are registered as globals.
Although wjue had been reported its vulnerablity from well skilled programmers like onokazu, he patched only G and says "sufficiently safe".

I feel that it is irreverent unworthy of a modules developper.

Quote:
I write modules, but I have NO idea, whether it is a secure one or if there are similar problems with them. Therefore, I would be very happy to get some more guidelines as to how to avoid opening security holes.

Of course, this is the most important thing.

----------------------------------------
the first operator of these functions:
include(), include_once(), require(), require_once()
should not be started by variables.
----------------------------------------

Though it differs accurately, pardon it by such an explanation please.
(I have little free time and little skill to explain the vulnerablity plainly by English.)

Login

Who's Online

122 user(s) are online (100 user(s) are browsing Support Forums)


Members: 0


Guests: 122


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits