Posted on: 2004/12/31 10:59
XOOPS insecure? I think not!
Herko Coomans wrote
(...)that XOOPS has been quite secure (as opposed to PHP Nuke, for which the Sentinal module is written).
I've just found your article.
And I've been disappointed you as a member of core team.
Obviously, XOOPS is not secure.
Sigh... Sorry to have disappointed you GIJOE, but it's bound to happen again.
First of all, if you read my post carefully, you wouldn't be as disappointed, as I said that XOOPS is quite secure
, especially when compared to PHPNuke. So next time you feel like making your point via a personal punch below the belt, please read more carefully.
Secondly, XOOPS is as secure as it gets
. Nothing more nothing less. Of course there are vulnerabilities, and [b]there always will be[/i]. This is simply inherent to open source development
If XOOPS was a single, compiled, closed source, fully developed application, the vulnerability of the system could be completely controlled (but still not guaranteed!).
But XOOPS is the opposite of that: it's modular (therefore containing lots and lots of 3rd party codes), written in an interpreted language (therefore highly dependant on the security of the parser, server, technical environment, etc.), community driven open source (therefore highly dependant on the feedback and input from the community, as well as the skill levels and resources of that community), development project (therefore continually in motion, new bugs are introduced when others are fixed). Moreover, the cracking industry that we should fight against, is continuously developing new and improved ways to test the security of our system.
In this dynamic arena, the XOOPS Core Team ánd the whole of the XOOPS community is continually striving to improve the security of the system. And so far, it's holding out rather good, as reports of hacked XOOPS sites are scarce, even tho there are still some vulnerabilities present.
And frankly, I don't really understand why you want to inspire fear in the community with all that in mind. Of course XOOPS is unsafe to use, any system you use, proprietary, free, open or closed, is unsafe. Do you know how much the Pentagon has invested and is still paying to prevent vulnerabilities? They want safe and secure
for their smartbombs and intelligence systems. Or look at M$ Windows. Riddled with holes and bugs! Still many many people develop for that, and even more people use that -not because they are forced to, but because they like how it works
Although the critical one is patched in 22.214.171.124, many vulnerablities stay there in core and standard modules.
Moreover, We alert Herko, again and again...
If you know of vulnerabilities in the core and core modules, please report them on the bugtrackers. You know that is standard procedure. And we rely on people like you to help us find and correct them.
Don't get me wrong here, I strongly dislike your tactics here, but greatly admire and appreciate the work you're doing. In fact, I said in the QA Team thread on these forums that I think we should have a few security experts like you on that team, to watch for vulnerabilities and help everyone prevent and fight them. Will you take up that challenge?
As for you alerting me, I have no idea what you're talking about there. I haven't recieved any e-mail or PM from you regarding any security hole recently. Nor did we (the XOOPS Core Team) get any request from you to make the Protector module a core feature (an idea which I am not excluding). So don't come here saying you warned me again and again when you have not. Don't start spreading lies about me, because then you will have to face me for real. That is not a threat, it is me being angry.
And have you tried "Protector" even once ?
Anyone can find Protector is not just a AntiDoS module at all.
I have never had the need for the module. And in the thread you are referring to, I only referred to AntiDoS, and never explicitly excluded the Protector module. So why bring this up like that? Do you feel I did you unjustice by not mentioning your module? Perhaps it is better, I never said it wasn't. Why do I need to try every module myself? I just don't understand this.
I shall say again, Protector is a MUST module if you don't want to be cracked.
That is your (expert?) opinion. And I value that. So next time people ask about security, I'll recomment the protector module. But I'll not say it's a MUST have module, as I do not believe XOOPS is more insecure then the rest out there.