21
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 19:40

  • Anonymous

  • Posts: 0

  • Since:


Quote:
John_N wrote:

And I suggest you could start to conduct yourself in a polite professional business like manner while talking to people in this forum or any other one for that matter.


I suspect that xguide's unfortunate tone is a language issue for which we should make allowances.

Doesn't explain his inability to read and understand, though. How many times had he been told that "Core" is a module unrelated to the basic XOOPS system.

Some people could start an argument in an empty room

22
davidl2
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 19:53

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


To re-explain ...

"core" is a module which was written for Xoops.org - and was a re-written version of wf-downloads.

It is NOT a part of the XOOPS Core.

23
Herko
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 20:51

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


And to add to this storm in a glass of water: the Core (wf-downloads), Repository (Wf-downloads and Library (wf-downloads) modules listed haven't been released as such to the public. They're just wf-downloads clones, renamed to be used in conjuntion to eachother here on xoops.org. They have been patched, and John_N is taking care of the wf-downloads modules. So, someone please contact the securityfocus people and inform them that these cases can be closed?

Herko

24
JMorris
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 20:59

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


I know it has already been said, but I feel it is important to give first hand account being the person that read every line of the server logs during the attacks on this site...

The XOOPS Core Code was NOT hacked. The module, "core" which is a modified version of WF-Downloads, was.

Again, I have reviewed the protector logs, the system logs and the apache logs, and without exception, the modified versions of the WF-Downloads modules was the ONLY target in the attacks.

As stated previously, these modules have already been patched on this site as well as further security enhancements implemented at the server level.
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

25
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/7 21:43

  • Anonymous

  • Posts: 0

  • Since:


Quote:
Herko Coomans wrote:

So, someone please contact the securityfocus people and inform them that these cases can be closed?


On behalf of everyone who's contributed to this thread, I respectfully nominate xguide to do this for us

26
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 8:25

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Because of stupid comments of ignorant Mr. JAVesey, vaughan, John_N (wish you good luck with your zarilla project).


I resume constructive comments to XOOPS users :

"As several posters have said, keeping core and modules up-to-date is one of the best things people can do"
davidl2, Forum Moderator


"Apache has mod_security, XOOPS has Protector,
Windows has security add-ons, Linux has security add-ons."
skenow

Remember to install module Protector from Mr. Gijoe site
http://xoops.peak.ne.jp/

Xoops need an extra module to be less vulnerable. It is not part of core. Actual XOOPS core do not provide that minimum security.

10 days ago connection from same IP with last 3 users accounts, moderators and admins last login.
10 days ago connection from 3 different IP, Austria, Germany and Switzerland with switch 6 users accounts.

Do not keep important users data on your XOOPS site.


I repeat my first post:

Programmers are busy with code and moderators with support.
Users can visit frequently the security site:

here

Users can report to developers security problems.
It is easy way to contribute.


After audit code and I do polite comment to moderators and developers about lack of authentication layer. I am moving sites from XOOPS 2.0.16, 2.2, XOOPS Cube joomla and drupal. Because these project developers are coding new core and it is not secure for business professional.

I have no obligation to contribute and I do polite comment.
But you reply with stupid comments. Ask Mr. Herko Formerly XOOPS.org project manager to achieve administrative task.

Good Luck.

27
irmtfan
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 8:52

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


xguide, your posts here are totally against XOOPSiquette do you think its a polit manner and dont hurt anyone?

people can make a decision and should care about the security of modules they use and if it make sense and there is a definition for "minimum security" IMHO XOOPS core 2.0.16 has maximum security but this is just for ITSELF.
it is not the XOOPS core task to worry about some bad codes in some few very old modules.it is a task for Protector module.
do you think the XOOPS 2.0.16 core itself has any Vulnerabilities?so send it or calm down.

28
xguide
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 9:05

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


You read my first post and you tell me it is totally against XOOPSiquette? But you do not moderate people who do stupid comments after?
Because of stupid comments programmers do not contribute and XOOPS users are stuck because XOOPS do not have competent developers. I do polite comment to moderators and developers about kernel, token, session, and show 10 days ago user data vulnerability without good scan authentication. Again I do not have any other obligation. It was my free contribution.

Good Luck.

29
Anonymous
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 9:32

  • Anonymous

  • Posts: 0

  • Since:


Quote:
xguide wrote:

..............xoops users are stuck because XOOPS do not have competent developers.


I suspect that this comment will lose you what sympathy you had.

If you believe that XOOPS 2.0.16, as available for download, is in itself insecure then please advice exactly where. As Vaughan says, "put up or shut up".

It is completely wrong of you to associate XOOPS developers with module developers; anyone could write a module for XOOPS and many do - how are the XOOPS developers supposed to control this given the open source nature of the software?

The answer is, of course, that they can't control the modules, which is why you are correct to direct users to the Protector 3 module available on GIJoe's site to givce some protection for these third party modules.

This is my last word on the subject as I've come to the opinion that you are, in internet terms, a troll.

30
vaughan
Re: Xoops and Modules Vulnerabilities
  • 2007/4/8 10:20

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

10 days ago connection from same IP with last 3 users accounts, moderators and admins last login.
10 days ago connection from 3 different IP, Austria, Germany and Switzerland with switch 6 users accounts.


yes and well you proved 1 thing there.. it wasn't you, it was someone else!!

Login

Who's Online

87 user(s) are online (61 user(s) are browsing Support Forums)


Members: 0


Guests: 87


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits