If you don't need recurring events admin, you can safely use Agenda-X v1.2.2 (even if register_globals are ON). Agenda-X beta 2 is still in beta phase, not really stable yet.

wjue


Quote:

Quote:
And when you perform this test and see that it is on, how do you go about turning them off when you're not hosting your own site?

Consider that I know very little about PHP, and thus Register Globals.

Ask your host to turn off Register Globals. If you host doesn't know, what it is... then switch host

Re: turning off register_globals

A hosting service might be unwilling to do that because it could break other customers' scripts.

Depending on the server, an .htaccess file with the following contents might work:

Quote:
My Profit ?
Teach me any profit generated by that Agenda-X users is transferred to piCal.
Though I proud that piCal is far more excellent than Agenda-X as Calendar or Event Manager Module,
I never recommend piCal to such a person who thinks that Agenda-X is better.
To begin with, comparing them is meaningless.

Quote:
Did you read whole of his article?
He wrote REMOVE it as same as my article.
-------------------------
Above-mentioned modified information is not information from the module manufacturer but temporary.
Therefore, when it is not possible to correct it in the self-responsibility, we will recommend the module to be made the temporary each folder save from the module manufacturer to open to the public of a formal correspondence version in the safe place (Inaccessible place according to WEB a browser etc.).
-------------------------

Quote:
No!
2.0 beta 2 has the same sacurity hole.
Have you read the source codes ?

And the security hole of 1.2.2 or 2.0 beta 2 is found by me, not by onokazu.

I read the source and I had the conviction wjue does not have skills to be able to create modules which can be opened to the public.

The hole can be scared by only changing register_globals OFF, but I can't believe his skills any more.

Though the hole is caused by a third party module, the hole deteriorates the reputation of whole XOOPS.
In fact, the "slash dot news" wrotes the articles which the security hole of Agenda-X is misunderstood that XOOPS's security hole.
Only writing that do not use the module which has security holes and lowers the reputation of whole XOOPS might be a "PROFIT" for all.

onokazu also wrotes to the all of XOOPSers :
When you adopt a module made by the third party, you should ascertain the module enough.

Quote:
Amazed!
Do you think 1.2.2 is sufficiently safe under register_globals ON ?

If so, I have to say again "STOP USING WJUE's WORK".

You should read onokazu's kind patch again and again, and think where 1.2.2's hole.

GIJOE, I think people are mainly objecting to the very harsh and personal tone in your posts.

For those of us, who aren't able to read Japanese, could someone give some highlights as to WHY Agenda-X is vulnerable and how to prevent these holes.

I write modules, but I have NO idea, whether it is a secure one or if there are similar problems with them. Therefore, I would be very happy to get some more guidelines as to how to avoid opening security holes.

GIJOE,

As a Chinese gentleman, I wouldn't make such comments on any body.

And I am very sorry for your lacking of Etiquette and elegance.

Regards.

wjue

Quote:

hi wjue.

If you have free time to write such a meaningless article,
you should release 1.2.3 that is patched by Onokazu immediately.

Though I never refer your human nature like you,
you have to express gratitude to Japanese XOOPS team - Onokazu & SUM -.
(your thanks of me are unnessary.)

The most important skill for module developpers is not that he never makes holes,
but that he repairs the holes immediately when it is reported by another well skilled programmer.

hi Mithrandir.

I'm sorry to have unpleasant time for my articles.
But as I wrote in subject, it is an emergency security hole.
Thus I have no time to select gentle words.
(And because of my poor skills for English.)

Removing all files of the module is only way to protect all of XOOPS site.
(Though .htaccess is a good manner, all of XOOPS site is not usable this)

If register_globals on, GPCS are registered as globals.
Although wjue had been reported its vulnerablity from well skilled programmers like onokazu, he patched only G and says "sufficiently safe".

I feel that it is irreverent unworthy of a modules developper.

Quote:
Of course, this is the most important thing.

----------------------------------------
the first operator of these functions:
include(), include_once(), require(), require_once()
should not be started by variables.
----------------------------------------

Though it differs accurately, pardon it by such an explanation please.
(I have little free time and little skill to explain the vulnerablity plainly by English.)