Hi all,

I'm interested in making my XOOPs 2.0.6 install as secure as possible. The reason is that my current site (mostly html, a few perl scripts) is subject to, on average, 20 or so hack attempts a day. None have succeeded thankfully, due to vigilance on the part of my hosting company and myself.

Most of these attempts are lame script exploit type of things, but I'm worried that when I moved my (fairly large) site over to Xoops, there are a whole bunch of new things that could be exploited.

Specifically I'm worried about things like all these 777 CHMOD'ed directories we're required to have.

I would like to request the experienced Xoopsers to share their knowledge of strategies to secure xoops. Some areas I have in mind are:

1. Best practices for directory and file permissions - still confused on what these should be for upload type dirs - some say 777, some 770, some 666 or 655 !
2. MySQL vulnerabilities - eradicating places where SQL can be injected
3. HTML vulnerabilities - submitters sending malicious code

Of course, anything security related is welcome. Incidentally, I'm running on a hosted environment (Linux/Apache) like most people here I imagine.

Thanks much,

Amok

It really depends on how secure you want to make it. For example, creating a completely closed site where user registration must be approved by you would be a good first step.

Removing the ability of anonymous users to do things like post comments is one of the next steps.

There shouldn't be that many 777 directories any more. The main cache one, plus some modules require them (something I would like to see go away). Make sure there is a read-only index.html file in each of those directories that forces users attempting to directory browse back to the page they came from.

A hosting service that runs an apache instance for each hosted site, with it's own user id. Most don't do this, instead all the hosted sites run under one instance of apache that use one user id -- meaning any chmod 777 directory can be written by somebody else's site.

Be careful of add-on modules.

Watch your logs.

Anybody setup tripwire for a XOOPS install? That's one of the things I'm looking at.

Thanks Kevin,

I have no anonymous submission of news, articles, forum posts, downloads, comments or anything else. Im looking at closed user registration but wondering if it will be too offputting for users.

The permissions I have are:

uploads/ - 777
cache/ - 777
templates_c/ - 777
mainfile.php - 644

Are these optimal ? Also in cache/ I have 2 files, adminmenu.php and antidos_access_log both set to 644. Is cache regularly flushed out ? These 2 files dont sound like they should be there. There is no index.html in there either.

I use wf-sections 1.01, the bugfixed version by JackJ into which I have incorporated fixes by Ken Ohwada (xf-sections) also. I've heard that wf-sections has some security vulnerabilities - do you have any knowledge of that ?

In wf-sections I have the following permissions:

wfsection/cache/uploaded/ - 777
wfsection/cache/uploaded/temp/ - 777
wfsection/images/article/ - 766
wfsection/images/category/ - 766
wfsection/html/ - 777

Do you have any suggestions regarding these ?

As regards modules, I use 3 addons

1) Anti-Dos 1.1
1) Random Quote 1.0.1
3) IPB 1.4 (Invision Power Board) by Koudanshi. I know this is unpopular with many because it overwrites some part of XOOPs core from what I understand, but IPB is simply vital to my site. I would love to use newbb but unfortunately it just doesnt yet have anywhere near the functionality my site needs. One problem with the current version of IPB (not just the plugin) is that conf_global.php must be set to writable if you want to update the admin section, then set back when you finish, leaving it open all that time! The next release will address this by storing config data in the db, but this is a bad security hole at the moment.

IPB has 777 set on the uploads/ where there is some attachment sitting.

I appreciate any advice you have regarding these modules. I have other addon modules but they are deactivated/uninstall, I guess I should remove the directories completelely.

Oh finally, regarding hosting, I'm in a shared environment, my host is lunarpages who are pretty security concious but I'm certain they are going to be using a single apache instance...

Sorry for the rambling email. Thanks very much, looking forward to your feedback.

Amok

PS: Maybe someone knowledgable about XOOPS and security (perhaps yourself ?) could setup some dummy XOOPS sites and then invite trusted security folks to try to hack them, as a learning exercise.

In my opinion, if you are indeed wanting to use a CMs, XOOPS will be the most seure option. You can expect a few vulns regarding modules, but you would definitly be sure to check your sql server for injection vulns. This is the most common hacking way (along with XSS) on CMS. I usually do some auditing myself, but your sugestion of dummies is not bad, just be sure to pick the right people for the job.

I guess you already know this, but if you are into doing the audit yourself, nessus is the best of the best, of the best, but you can also check this kneet list http://www.insecure.org/tools.html.