41
Dave_L
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 4:53

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
the first operator of these functions:
include(), include_once(), require(), require_once()
should not be started by variables.


For example: include_once ("$variable/functions.inc.php");

42
Olorin
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 4:58

  • Olorin

  • Just popping in

  • Posts: 50

  • Since: 2003/7/5 1


Knowing how friendly to Xoopseres you are, I'm really disappointed with you this time, GIJOE. If you believe in you are capable of fixing the security hole, confident that wjue is unable to fix it, why don't you help wjue make the secure Agenda-X....

And I'm afraid it's quite natural for us to think GIJOE concealed the onokazu's post which solves this problem on purpose. Since I know you must have known the information on xoops.jp for the temporary fix when you started this thread....

You said wjue must take you for his foe. But, as for me, it seems to be you that take wjue for your foe...

Unfortunately, I'm not a skilled PHP coder, though I want to know the cause of this security hole. What was the problem? Is this security hole only related with global_register? What about open_basedir, or safe_mode?

You said Agenda-X would damage the value, and quality of Xoops. Moreover you stated pical is worth deserving the no.1 calendar module...

But what is XOOPS at all? XOOPS itself consists of thousands of ordinary users who know nothing about PHP. What we have to care is not the name of Xoops, but the community of XOOPS itself... Do you wana still keep developing such a top notch module even if nobody uses Xoops?

Well, what I want to say is that many people still use agenda-x, and they don't want to lose the data. However you suggested that they should remove agenda-x and use other alternatives, which results in abandoning the past data.

Of cource, considering its potential threat, it is the best way to remove the module, though...

==The files which need fixing==
- modules/agendax/addevent.inc.php
- modules/agendax/i18n.php
- modules/agendax/config.inc.php
- modules/agendax/admin/admin_header.php

- modules/agendax/addevent.inc.php
BEFORE
Quote:
include($agendax_path.\"/checkemail.inc.php\");

AFTER
Quote:
require_once './config.inc.php';
include($agendax_path.\"/checkemail.inc.php\");


- modules/agendax/i18n.php
BEFORE
Quote:
include_once $agendax_path.'/gettext.php';

AFTER
Quote:
require_once './config.inc.php';
include_once $agendax_path.'/gettext.php';

- modules/agendax/config.inc.php
BEFORE
Quote:
$agendax_path = XOOPS_ROOT_PATH.'/modules/agendax';

AFTER
Quote:
if (!defined('XOOPS_ROOT_PATH')) {
exit();
}
$agendax_path = XOOPS_ROOT_PATH.'/modules/agendax';

- modules/agendax/admin/admin_header.php
BEFORE
Quote:
if (!isset($agendax_path)) $agendax_path =XOOPS_ROOT_PATH.'/modules/agendax';
if (!isset($agendax_path)) $agendax_url = XOOPS_URL.'/modules/agendax';

AFTER
Quote:
require_once '../config.inc.php';

43
GIJOE
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 5:26

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


hi Olorin.
Quote:
And it was quite natural of us to think GIJOE concealed the onokazu's post which solves this problem on purpose. I know you must have known the information on xoops.jp for the temporary fix when you started this thread....

I concealed ? Why ?
Do you know the article of news can't be quoted?
And I believe that you know XOOPS meeting held in yesterday, and you must see the articles I'm very busy by the event of my daughter's kindergarten.
I did my best about it.
As I wrote it, I believe that removing the files is the only way to protect all of XOOPS sites.
Can you imagine the cost to translate the news articles ?
([ code ] tags can't be usable for my auto-translator.)
Since you've translated the article, you know it is too expensive for me.

The top priority for me is my family, and follows all of XOOPSers.

Quote:
Well, what I want to say is that many people still use agenda-x, and they don't want to lose the data. However you suggested that they should remove agenda-x and use other alternatives, which results in abandoning the past data.

Do you read my articles carefully ?
I wrote "DEACTIVATE and REMOVE". I never wrote "UNINSTALL".
Do you think the data of Agenda-X will be lost?

44
GIJOE
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 5:49

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


Quote:

If you believe in you are capable of fixing the security hole, confident that wjue is unable to fix it, why don't you help wjue make the secure Agenda-X....

Of course, I can repair the hole.
But the correct patch had already released by onokazu, and he kindly send it to wjue by email, as you know.
I believe that you can imagine the meaning and the importance that Onokazu makes a patch for only a third party module.

To unbelievable, wjue ignores the onokazu's patch.

What could I do ?
What can I do ?

And you know that the patch reveals the holes for crackers.
If I had showed the patch here at first, many sites was cracked.

I am never disappointed with Olorin, because I believe you can understand what I mean.
Thanks.

45
sum
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 7:03

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12


I don't know whether he concealed the onokazu's post.
I also think that I have times of the fall in the point
that the link that corresponded immediately afterwards was not shown.
Quote:
You said Agenda-X would damage the value, and quality of Xoops.

It was recognized, "Use of XOOPS" with the first report to our regret in Japan.
This was a very insufficient report though this was not a mistake.
Actually, this problem happens only because the file that corresponds
even if there is no XOOPS is put from a browser on an accessible place.
When the manager is setting PHP beforehand carefully, damage gets off very small.
It alone might not have the influence either.

And, only the content is not stolen, and it is serious in the point
where the falsification - a new security hole is set - is possible.
It is already a reality.
If you use agenda-x and other contents of XOOPS continuously,
it is necessary that you stop them, and move to "temporarily" far-off.
And you should confirm they are not falsified.
I think that such information disclosure to the user
of Agenda-X version 1.2.1 former is at present insufficient.

I separately think that we should discuss about the safety of version 1.2.2 above.
And I hope to be able to offer the topic of the method of safe operation
to not only the module developer but also the operation side then.

46
sum
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 8:16

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12


I'm sorry for making you fear. It is likely not to become a problem in a lot of cases.
As wjue and other people say: There might not be worry if it is "register_globals = OFF".

However, I know there are users who are setting it to "ON" to operate another program.
In that case, if they are carefully setting a value proper
in each individual directory, it doesn't become a problem.

We noticed that it is possible to actually happen when still various factors twine.
It is useless only to pray.

47
Olorin
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 8:52

  • Olorin

  • Just popping in

  • Posts: 50

  • Since: 2003/7/5 1


Well, you are absolutely correct. I'm a quick-tempered and easily get emotional, which often ends up holding misconception.

Agenda-X users don't need to drop their database... That's true. To remove the files is one thing; to uninstall the module is quite another.

From a security point of view, you should be careful when you release the detailed information on the vulnerability so that silly script kiddies don't get a toy to play with. It is a common knowledge to prevent what is called "Zero-delay attack" from happening, right?

And my rude conspiracy theory is really nonsence. What is worse, the valentine event completely slipped my mind... Please forget about it if you like. I'm very sorry for saying too much.

Even so, I'm afraid you were offensive enough to let me be lost. This is certain at very least.

Anyway, I hope nobody will be attacked.

48
Anonymous
Re: EMERGENCY: security hole of Agenda-X
  • 2004/2/15 9:49

  • Anonymous

  • Posts: 0

  • Since:


hi
I think....
The correction version does not tend to be made obediently, or why isn't information exhibited and doesn't it keep damage to the minimum?

49
Jan304
Security fix of Agenda-X - No Panic needed - Just apply fix
  • 2004/2/15 10:04

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


Well, I think the hole could be fixed immediatly, without all this press attention, if GIJOE mailed wjue in place of posting this sort of nonsense and recommending to remove that module (and ofcourse not saying clearly to install his -oh so perfect- module.

So, to make everything clear:
- There is no need to panic if you have register_globals off.
- If register_globals is on (what is needed for some old modules) then you might wanne turn it off or apply the fix from onokazu. (The fix works, even if someone else (like GIJOE for example) says it is not.)

And for now I stop posting in this thread, it is going way of the road...

Edit: Safe version:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=16705&forum=4&post_id=70308

50
sunsnapper
Re: Security fix of Agenda-X - No Panic needed - Just apply fix

My read of this, allowing a wide margin for English difficulties, is that...
- A security hole was found in a third party module and reported to slashdot.
- A fix was made and sent to the developer.
- The developer did not release the fix (not sure why).
- Frustration developed because the developer did not release the fix in the release version (maybe the Beta was fixed? not sure)
- A post was made here to alert the XOOPS community to the security issue.
- With English not being the primary language of everyone involved, communication difficulties developed... fueled by frustration.

I think it is worth noting that a fix was made, so there is no great cause for alarm. If I am reading the thread correctly, a fix was sent to the developer, but, not released by the developer... hence the frustrated post here. Most of the rest of the "heat" of this thread has been caused by communication difficulties... with people struggling with English, I try to overlook the lack of diplomatic language.

I also see that the developer has released an updated version of the module with a fix included.

Login

Who's Online

178 user(s) are online (108 user(s) are browsing Support Forums)


Members: 0


Guests: 178


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits