xoops forums

leperkuan

Just popping in
Posted on: 2004/11/26 13:29
leperkuan
leperkuan (Show more)
Just popping in
Posts: 3
Since: 2004/11/26
#1

Xoops On Crack?

a few weeks ago i replaced my page with xoops, after a few days i login and goto admin menu and its blank... i went sourcing a few files and found "html/modules/system/admin.php?fct=modulesadmin'" and if i un-install then reinstall the modules they appear in my admin menu but then i lose all the info inside of the module, this has happened twice since i installed xoops, i have been able to find all my admin links to edit things but it shouldnt be so complicated. Possible hacker?? have had signs of hacking in the past example: 400 128-bit WEP keys in my apache error log...also as i have seen in another thread is Module Does Not Exist, i have 3 of these. How can i get rid of them? they dont neven show a image..for example, Frozen Bubble.. any help would be much apreciated, is there any way i can over write XOOPS without losing my current members.. is there a module like Sentinal for Xoops? if somebody wants to go into detail about it i can give screen shots and such, email me at leperkuan AT grandecom DOT net...


http://www.theppt.co.nr

Herko

XOOPS is my life!
Posted on: 2004/11/26 13:42
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#2

Re: Xoops On Crack?

No, there isn't a Sentinal-like module for XOOPS. There is an Anti-DOS module tho. One of the reasons there isn't a Sentinal module, is that XOOPS has been quite secure (as opposed to PHP Nuke, for which the Sentinal module is written).

As for your other questions, please use the search feature, they have been solved many times before

Happy hunting!

Herko

irmtfan

Module Developer
Posted on: 2004/11/26 14:04
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#3

Re: Xoops On Crack?

xoops is secure enough but if you want something more i recommend this module ( no need for antidos module and more powerful ):
http://xoops-tips.com/modules/news/article.php?storyid=39

JasonMR

Just can't stay away
Posted on: 2004/11/26 14:08
JasonMR
JasonMR (Show more)
Just can't stay away
Posts: 655
Since: 2004/6/21
#4

Re: Xoops On Crack?

If you are worried about your security, goto

http://www.peak.ne.jp/xoops/modules/mydownloads/

Look for Xoops Protector 2.1, and read the instructions carefully.


Regarding those modules, I'm sure they work, you just need to make sure that the right folder has been uploaded into the correct location (the folder with the file xoops_version.php, always needs to be in the XOOPS_ROOT/modules/ folder), and that the folder and file permissions are correctly set (more about this via the search function, as pointed out by Herko).

Things don't just happen, they have a cause. To resolve problems, try and go through the last steps you had taken....

leperkuan

Just popping in
Posted on: 2004/11/26 15:18
leperkuan
leperkuan (Show more)
Just popping in
Posts: 3
Since: 2004/11/26
#5

Re: Xoops On Crack?

i have to clap, the response time is great. Big mistake on Disapearing admin menu, yep it's back. i was un-sure on the user rights for webmasters and i took away all my admin rights, luckily i have some knowledge and sourced out a Good Enough Menu to get the settings correct. (wipes sweat of forehead) i'm still having the missing modules i will search more but as for now i'm going to look into these security modules, Anti-Dos did not work for me. i may have installed it wrong considering it was the first module i installed. Thanks for your help everybody!

GIJOE

Quite a regular
Posted on: 2004/12/31 10:07
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#6

Re: Xoops On Crack?

Quote:

No, there isn't a Sentinal-like module for XOOPS. There is an Anti-DOS module tho. One of the reasons there isn't a Sentinal module, is that XOOPS has been quite secure (as opposed to PHP Nuke, for which the Sentinal module is written).

As for your other questions, please use the search feature, they have been solved many times before


Herko.

I've just found your article.
And I've been disappointed you as a member of core team.

Obviously, XOOPS is not secure.

Although the critical one is patched in 2.0.9.2, many vulnerablities stay there in core and standard modules.

Moreover, We alert Herko, again and again...

And have you tried "Protector" even once ?
Anyone can find Protector is not just a AntiDoS module at all.

I shall say again, Protector is a MUST module if you don't want to be cracked.

Herko

XOOPS is my life!
Posted on: 2004/12/31 10:59
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#7

XOOPS insecure? I think not!

Quote:

GIJOE wrote:
Quote:
Herko Coomans wrote
(...)that XOOPS has been quite secure (as opposed to PHP Nuke, for which the Sentinal module is written).


Herko.

I've just found your article.
And I've been disappointed you as a member of core team.

Obviously, XOOPS is not secure.

Sigh... Sorry to have disappointed you GIJOE, but it's bound to happen again.
First of all, if you read my post carefully, you wouldn't be as disappointed, as I said that XOOPS is quite secure, especially when compared to PHPNuke. So next time you feel like making your point via a personal punch below the belt, please read more carefully.

Secondly, XOOPS is as secure as it gets. Nothing more nothing less. Of course there are vulnerabilities, and [b]there always will be[/i]. This is simply inherent to open source development.
If XOOPS was a single, compiled, closed source, fully developed application, the vulnerability of the system could be completely controlled (but still not guaranteed!).
But XOOPS is the opposite of that: it's modular (therefore containing lots and lots of 3rd party codes), written in an interpreted language (therefore highly dependant on the security of the parser, server, technical environment, etc.), community driven open source (therefore highly dependant on the feedback and input from the community, as well as the skill levels and resources of that community), development project (therefore continually in motion, new bugs are introduced when others are fixed). Moreover, the cracking industry that we should fight against, is continuously developing new and improved ways to test the security of our system.
In this dynamic arena, the XOOPS Core Team ánd the whole of the XOOPS community is continually striving to improve the security of the system. And so far, it's holding out rather good, as reports of hacked XOOPS sites are scarce, even tho there are still some vulnerabilities present.

And frankly, I don't really understand why you want to inspire fear in the community with all that in mind. Of course XOOPS is unsafe to use, any system you use, proprietary, free, open or closed, is unsafe. Do you know how much the Pentagon has invested and is still paying to prevent vulnerabilities? They want safe and secure for their smartbombs and intelligence systems. Or look at M$ Windows. Riddled with holes and bugs! Still many many people develop for that, and even more people use that -not because they are forced to, but because they like how it works.

Quote:
GIJOE wrote:
Although the critical one is patched in 2.0.9.2, many vulnerablities stay there in core and standard modules.

Moreover, We alert Herko, again and again...

If you know of vulnerabilities in the core and core modules, please report them on the bugtrackers. You know that is standard procedure. And we rely on people like you to help us find and correct them.
Don't get me wrong here, I strongly dislike your tactics here, but greatly admire and appreciate the work you're doing. In fact, I said in the QA Team thread on these forums that I think we should have a few security experts like you on that team, to watch for vulnerabilities and help everyone prevent and fight them. Will you take up that challenge?

As for you alerting me, I have no idea what you're talking about there. I haven't recieved any e-mail or PM from you regarding any security hole recently. Nor did we (the XOOPS Core Team) get any request from you to make the Protector module a core feature (an idea which I am not excluding). So don't come here saying you warned me again and again when you have not. Don't start spreading lies about me, because then you will have to face me for real. That is not a threat, it is me being angry.

Quote:
GIJOE wrote:
And have you tried "Protector" even once ?
Anyone can find Protector is not just a AntiDoS module at all.
I have never had the need for the module. And in the thread you are referring to, I only referred to AntiDoS, and never explicitly excluded the Protector module. So why bring this up like that? Do you feel I did you unjustice by not mentioning your module? Perhaps it is better, I never said it wasn't. Why do I need to try every module myself? I just don't understand this.

Quote:
GIJOE wrote:
I shall say again, Protector is a MUST module if you don't want to be cracked.

That is your (expert?) opinion. And I value that. So next time people ask about security, I'll recomment the protector module. But I'll not say it's a MUST have module, as I do not believe XOOPS is more insecure then the rest out there.

Herko

Herko

XOOPS is my life!
Posted on: 2004/12/31 19:18
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#8

Re: XOOPS insecure? I think not!

Herko.

The proof of the pudding is in the eating.
I'm too busy to teach "What is the security" to short skilled programmer.

My Name is GIJOE.

Do you still insist this site is secure?

If Protector is installed correctly, I can't crack regardless of the version of XOOPS.

Set your mind at ease.
I do nothing but writing this artile.
After post, I'll logout immediately.

Anonymous

Posted on: 2004/12/31 19:36
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#9

Re: XOOPS insecure? I think not!

@ GIJOE

Awesome demostration!!

But Scary.

rowdie

Just can't stay away
Posted on: 2004/12/31 19:38
rowdie
rowdie (Show more)
Just can't stay away
Posts: 846
Since: 2004/7/21
#10

Re: XOOPS insecure? I think not!

@GIJOE
Did you even stop to read Herko's posts before acting like a power-hungry kid?

He said...
1. he's not a programmer
2. XOOPS is as secure as they can make it, not that it was foolproof
3. that he'd appreciate any help you can give

If you have the time to show off your cracking skills and lack of ethics then you also have the time to write a quick email to XOOPS core developers outlining any security risks.


GIJOE, you are unbelievable - and I don't mean that in a positive sense.

Geeeez