xoops forums

CBMax

Just popping in
Posted on: 2005/1/21 6:44
CBMax
CBMax (Show more)
Just popping in
Posts: 10
Since: 2004/12/28
#121

Re: XOOPS insecure? I think not!

Hm. This answers a lot of questions

danielh2o

Just popping in
Posted on: 2005/2/4 16:46
danielh2o
danielh2o (Show more)
Just popping in
Posts: 47
Since: 2004/10/19
#122

Re: Xoops On Crack?

any progress for XOOPS core v2.0.10, anyone can tell...?
Posted on: 2005/2/4 18:39
DonXoop
DonXoop (Show more)
Posts: 1171
Since: 2003/11/27
#123

Re: Xoops On Crack?

can't tell from here.

Yogi Bera: "It ain't over till it's over"
Yogi Bear: "Let's go look for some pic-ci-nic baskets"

m0nty

XOOPS is my life!
Posted on: 2005/2/4 19:01
m0nty
m0nty (Show more)
XOOPS is my life!
Posts: 3337
Since: 2003/10/24
#124

Re: Xoops On Crack?

lmao.. i guess you're having a day full of sarcasm then today Don?

MorelyDotes

Just popping in
Posted on: 2005/2/8 20:30
MorelyDotes
MorelyDotes (Show more)
Just popping in
Posts: 90
Since: 2005/1/13
#125

Re: XOOPS insecure? I think not!

Quote:

If XOOPS was a single, compiled, closed source, fully developed application, the vulnerability of the system could be completely controlled (but still not guaranteed!).


Sure, just like MS Windows, eh?

The huge advantage of open source is that *anyone* can look at it, and if they find a security problem, not only can they tell everyone else, the discoverer can *fix* it (or at least tell someone else who can fix it). And then the fix will be distributed to the rest of the community quickly.

No lobbying to get laws passed to prevent publication of security issues; no delaying patch distribution because admitting there's a problem might interfere with a Marketing campaign - just find it, fix it, and fling it out there.

So, all you 733t coders, if you know there's a problem What have you done about fixing it? Producing Protector is great, but it is not the same as fixing the underlying problem. Herko isn't the only Core Team member; how have you contacted the rest of them? Or have you bothered?

m0nty

XOOPS is my life!
Posted on: 2005/2/8 21:37
m0nty
m0nty (Show more)
XOOPS is my life!
Posts: 3337
Since: 2003/10/24
#126

Re: Xoops On Crack?

of course they have bothered!! why wouldn't they have?

what has been done? well the protector module helps, and if you read the rest of the pages you'd know that protector will be integrated into the core. other things have been done, 2.0.7.3 included lots of security related fixes, XOOPS 2.0.9.2 also improved more on security..

underlying problem? well nothing is 100% secure, you fix 1 security issue and some1 always finds another way to circumvent it.. try downloading the source yourself, look at it, and if you spot any issues then report them in the proper manner (that's if you're capable and knowledgeable to do so) it's not an easy task to spot flaws.. and well this last 2 weeks alone as seen more seen security issues related to apache, and other other server software etc.. so nobody is perfect in their programming..

it's alright for you to say what is being done about it and to be honest i don't know how you can actually say that nothing is being done about it or make a remark about whether the core team have bothered to do anything about it.. and btw nobody here calls themself a 733t coder

if you have some suggestions then suggest them. i'm sure the dev site and the sourceforge will give ou more info if you bother to read them before making your presumptions.

if a security issue wasn't known to the team then how the hell can they fix it, security is high on the priority list and always has been.

JasonMR

Just can't stay away
Posted on: 2005/2/9 0:26
JasonMR
JasonMR (Show more)
Just can't stay away
Posts: 655
Since: 2004/6/21
#127

XOOPS 2.0.10

Yeap, progress is being made on 2.0.10, as Onokazu announced yesterday on the sourceforge developers forum.

From his posting:
Quote:

I would also like to let you know that 2.0.10 is ready for beta testing, which should be released officially as final in a day or two. A new feature has been added to this release to enhance security. The feature is commonly known as one-time ticket/token system, main purpose of which is to prevent CSRF attacks but can also be used to prevent multiple form submissions.


So yes, members who recieved "little thank yous" from the community, are trying to pay us back (not that they needed to, but thats just the type of guys they are)

Hope people find this informative.....

Marco

Home away from home
Posted on: 2005/2/9 19:58
Marco
Marco (Show more)
Home away from home
Posts: 1256
Since: 2004/3/15
#128

Re: XOOPS 2.0.10

PHP Security Consortium is born
----> you will find their first publication The PHP Security Guide (free download)
perhaps a way to increase our security knowledge ?
http://phpsec.org/
just my 2cnt...
bye
marco
Posted on: 2005/2/9 20:18
ackbarr
ackbarr (Show more)
Posts: 1449
Since: 2002/10/2
#129

Re: XOOPS 2.0.10

I read this last week, and found it to be a very good primer on 'thinking secure' in development.
Posted on: 2005/2/9 21:46
DonXoop
DonXoop (Show more)
Posts: 1171
Since: 2003/11/27
#130

Re: XOOPS 2.0.10

Don't forget to push module developers to think secure too. 3rd party mods are the weakest links.

So Protector is making it into the core. Hopefully with more docs and much easier maintenance. Example is if you enable it without thinking you just might end up with hundreds of pages of "violations" that might actually be your own users doing normal things. Tedious trying to filter the real violations from normal and then trying to delete the logs. Enable a mod like chat and you'll instantly get violations. And those violations all appear as anonymous even with the users logged in. Disabling the Protector block for registered users doesn't help, I guess it is the mainfile.php pre/postcheck lines.

good luck folks.