i know all the *nukes are fairly insecure (depending on which version), and XOOPS has seemed pretty secure from what i've seen so far (but XOOPS doesn't have the same userbase as phpnuke, so less people to test the security)

anyways, i've noticed in the phpnuke community, they've been answering the many hacks by XSS, union, etc etc, by creating scripts that are included before the site loads, which kill any malicious code being sent, sometimes by spamming the user's computer with popups causing instability on his end (depending on the protector app) and banning his ip

here's a thread at nukecops about Sentinel, but some of the other applications get mentioned as well, i'm wondering if something similar would be useful in the XOOPS community, to help protect any hacks from developing in the future?

http://nukecops.com/postt29245.html&sid=922645aa4a2308efcc73db7840e4613c


btw, could one of the core programmers explain what XOOPS does to prevent malicious code? does it stop Union hacks, cross site scripting, etc, natively?

as far as i'm aware, altho i never looked into it too deeply.. the http referrer check is used to stop cross-site scripting..

on another security measure i've also upped the password length, so that users have to have a minimum of 8 characters in their passwords, and my admins have also been told to make sure their passwords are minimum of 14 characters both mixed numbers, uppercase and lowercase.

it really doesn't take too long to crack an 8 digit password when there's a team of you at it..

what gets me is the vast majority of hosts allow only a max of 8 characters for their servers, ie control panel and mysql.. i keep asking mine to up this limit to 16 but have had no success..

of course that will only stop crackers, it won't stop a real hacker..