We're evaluating CMS software for a new community site. I would prefer not to use PHPNuke given past experience, but am not familiar with XOOPS. Is everyone happy with the present security status? Any outstanding issues we need to know about before committing?

Xoops is probably the securest CMS around. XOOPS dev team treats security very seriously, you won't go wrong with xoops.

But don't just take our words for it (as we, XOOPS users, are likely be biased, right? ), do a google search on "xoops security", you would get an idea on xoops.

Xoops itself is pretty secure more so than a lot of other CMS

i've tried many methods of hacking my XOOPS system but not succeeded.. on a basic install that is!! if you have many modules installed, there maybe ways of hacking a module if the module isn't written securely and may have a vulnerability in the module as does happen from time to time, but these are usually addressed and fixed quickly by the developers..

server hacks seem to be a lot easier to hack than XOOPS is, and thus the many sites that do get hacked that use XOOPS are from the server being hacked due to misconfigured settings or lack of updating by the server company etc.. this goes generally to a lot of CMS too.

there are lots of ways of hacking, and most are due to misconfigurations etc and not keeping up to date with fixes and updating of the software(s) nothing is 100% secure, but there are ways of making it harder for them. at least the script kiddies anyway.. a real hacker will take his time and probably succeed as he won't be using software written by other people, he'll use his own skills. but thats another story..

In my opinion XOOPS is pretty secure at keeping the kiddies away as long as you configure the directory permissions correctly..

Thanks guys. We'll probably end up going with xoops, appreciate your taking the time to answer our question.

monty, thats some GREAT ADVICE....im now about to go check EVERY directory permission on my server...

eq

OK, I am about to go public with my site, but before I do, I want it as secure as possible. This permission issue...

Ok there is

Owner, Groups and Others
Read, Write, Execute


What do I do for the highest amoutn of security...i.e.

Do I only allow READ for Others and Groups....keep all three open for OWNER?

if someone is knowledgable on this subject I would appreciate a little help.

Also, any other security do's or don'ts

thanx

eq

The webserver user needs read access to all parts of the XOOPS installation as well as write access to three root folders:
cache
templates_c
uploads

I'm not so sure what would happen if you denied everything for all users except the website user (which is *sometimes* the file owner, but not always) - try it out with the most restrictive permissions and if it works, then great - if not, try some lighter permissions until it works.