xoops forums

coopersita

Quite a regular
Posted on: 2004/12/16 2:07
coopersita
coopersita (Show more)
Quite a regular
Posts: 204
Since: 2004/10/25
#1

Protector installation

I installed Protector, but I can't add the extra code.

If I install the extra code in mainfile.php I get the following errors:
Warningmysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/club/public_html/modules/protector/include/precheck.inc.php on line 14

Warning
mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/club/public_html/modules/protector/include/precheck.inc.php on line 15

Warning
mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/club/public_html/modules/protector/include/precheck.inc.php on line 16

Fatal error
getdatabaseconnection(): Failed opening required '/home/club/public_html/class/database/XOOPS_DB_TYPEdatabase.php' (include_path='.:/usr/lib/php:/usr/local/lib/php'in /home/club/public_html/class/database/databasefactory.php on line 24
Warning 
[PHP]: getdatabaseconnection(/home/club/public_html/class/database/XOOPS_DB_TYPEdatabase.php): failed to open streamNo such file or directory in file class/database/databasefactory.php line 24

coopersita

Quite a regular
Posted on: 2004/12/16 15:52
coopersita
coopersita (Show more)
Quite a regular
Posts: 204
Since: 2004/10/25
#2

Re: Protector installation

Has anyone installed protector?

What do you think of it? Is it worth it?

m0nty

XOOPS is my life!
Posted on: 2004/12/16 16:51
m0nty
m0nty (Show more)
XOOPS is my life!
Posts: 3337
Since: 2003/10/24
#3

Re: Protector installation

u probably have not entered the modification in mainfile.php properly..

find in mainfile.php around line 94:

if (!isset($xoopsOption['nocommon'])) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
}


add this just above:

include( XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php');


so it should now look like this:

define('XOOPS_GROUP_ANONYMOUS''3');
    
    include( 
XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php');

    if (!isset(
$xoopsOption['nocommon'])) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
}
?>


it's a nice module in my opinion, and if you're concerned about security then this module should put your mind at rest regarding some sense of security, it won't protect you completely from all attacks but it certainly helps prevent the wannabes & script kiddies from messin.. remember nothing is 100% secure, but you can at least make it harder for them to get in..

coopersita

Quite a regular
Posted on: 2004/12/16 19:21
coopersita
coopersita (Show more)
Quite a regular
Posts: 204
Since: 2004/10/25
#4

Re: Protector installation

Thanks that was my problem.

The only thing I don't get now, though, is how to fix the rest of the security advisory warnings:

'register_globals' on   Not secure
    This setting invites a variety of injection attacks
.

'allow_url_fopen' on   Not secure
    This setting allows attackers to execute arbitrary scripts on remote servers
.

'XOOPS_DB_PREFIX' XOOPS   Not secure
    This setting invites 
'SQL Injections'.
    
Don't forget turning 'Force sanitizing *' on in this module's preferences.



Where do you change register_globals and allow_url_fopen? I know there's not much I can do about the XOOPS prefix. Too late now to fix that... (I did turn on force sanitizing).

Just to make sure I'm using it right. Do I have to enable XOOPS Protector Module Access rights and Protector for all groups (webmaster, registered and anonymous)? That's what I understood from the documentation, but I'm not sure...

GIJOE

Quite a regular
Posted on: 2004/12/29 5:34
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#5

Re: Protector installation

It's easy to turn register_globals off if you use a good server.

.htaccess
php_flag  register_globals off


But many severs can't turn allow_url_fopen off via .htaccess.

If you use your own server, edit php.ini and restart httpd.

Changing XOOPS_PREFIX is possble but not so easy after installed.

Next protector might have the feature.

And I say,

"Protector is the MUST module for all XOOPS even the recent 2.0.9"

Herko

XOOPS is my life!
Posted on: 2004/12/29 8:13
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#6

Re: Protector installation

Why is using the prefix 'xoops' a vulnerability??

Herko

GIJOE

Quite a regular
Posted on: 2004/12/29 9:46
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#7

Re: Protector installation

Quote:

Herko Coomans wrote:
Why is using the prefix 'xoops' a vulnerability??

A curious question.

Do you know the pattern of "SQL Injection" ?

Since there are too many modules which has vulnerability of SQL Injection, attacker can easily get hashed password via some weak modules like this:
http://[XOOPS-SITE]/modules/(weak_module)/?op=view&id=1%20UNION%20SELECT...FROM%20xoops_users%20...

If XOOPS_PREFIX is not 'xoops', such attacks are hard to success.

In fact, Protector have caught SQL injection patterns.
eg)
-1 UNION SELECT user_id, username, user_password FROM nuke_users/*

This is a common sense in http://www.xoopscube.jp/
ORETEKI XOOPS -the most secure fork- generates XOOPS_PREFIX at random in installing.

GIJOE

Quite a regular
Posted on: 2004/12/31 10:11
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#8

Re: Protector installation

Herko.

I've answered to your strange question.
Why do you say nothing?

Herko

XOOPS is my life!
Posted on: 2004/12/31 11:09
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#9

Re: Protector installation

Sheesh... calm down man. I missed the post (yes, I admit, I am human too!). While on that subject, being human, I don't knnow everything about everything (yet?). Thus, I tend to ask questions (gasp!). And learn. That's what I did. I am not a programmer, nor am I a PHP expert, nor a security expert. And rest assured, I do not code for XOOPS. So I don't put insecure code in XOOPS.

But did I get it right in understanding that there is a XOOPS fork with security fixes??????????? Why on earth would you NOT send those to the xoops.org project and keep them to yourselves????? I do not understand. I work hard to make XOOPS better (and that includes safer), yet you have a fork with security fixes? Why would you not want to share that with the XOOPS community, and only tell me of this like you are doing now, offhand?

A confuzzled Herko

GIJOE

Quite a regular
Posted on: 2004/12/31 19:51
GIJOE
GIJOE (Show more)
Quite a regular
Posts: 265
Since: 2003/8/13
#10

Re: Protector installation

Herko.

I shall say "calm down" especially to you.
Why is there too many '?'

ORETEKI XOOPS is not by me.
It's Marijuana's work.

And I do nothing with the work.
That's because it's just a Japanese version.
I'm not interested with non-international projects.

But the codes are very good and secure.
It's a fact.

And JM2 have told you with the vulnerablity in 2004's summer.
If the information is not shared, the reason is your disregarding.

We've alerted to you that it's too danger codes like:
foreach( $_POST as $k => $v ) {
    ${
$k} = $v ;
}

or
extract$_POST ) ;