Hi a friend of mine made comment that my site may have security holes
and suggested I read up about google XSS hole.

It makes for interesting reading.

I just thought I would ask XOOPS Experts, do you think the XOOPS CMS is at risk.

Or what measures should I take to protect my site and my users?

Your help is much appreciated.

Thank you.

This is a good guide to making your site more secure

Thank you for this link, I have read and I think most of that is already done on my site,

I moved data and lib to home directory as apposed to temp folder, and manfile is 444,

this is what XOOPS system overview says



* XOOPS Version: XOOPS 2.3.3
* PHP Version: 5.2.9
* MySQL Version: 5.0.67-community
* Server API Version: cgi-fcgi
* OS Version: Linux
* safe_mode: Off
* register_globals: Off
* magic_quotes_gpc: On
* allow_url_fopen: Off
* fsockopen: On
* allow_call_time_pass_reference: On
* post_max_size: 130M
* max_input_time: 60
* output_buffering:
* max_execution_time: 60
* memory_limit: 64M
* file_uploads: On
* upload_max_filesize: 130M

Does this mean I am now protected against Cross-site scripting (XSS)?


In Protector it says

'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.

'register_globals' : off ok

'allow_url_fopen' : off ok

'session.use_trans_sid' : off ok

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.

---------------------------

Obviously I am a noob with this,

I am afraid to change the XOOPS database prefix as the site is already running.
I can't find XOOPS trust path.

Quote:I think you missed the point for the trust path. It is meant to be outside the web root.

The XOOPS_TRUST_PATH is defined in your mainfile.php (as alias to xoops_lib) and should also result to outside the web root.

Quote:This has to be set for allowing Protector to operate. Last part of mainfile.php should look like this:

Check if Protector runs ok by the 2 links in the Protect center (admin protector). It should make entries in the log of Protector.

Protector offers a function to rename all tables in the database with a prefix. (Always backup before doing such major database operations!)

The risk of XSS is not a question of the XOOPS core alone, also modules may be vulnerable. There is no 100% fail safe. Checking regulary for security alerts or module updates on XOOPS.org, together with Protector and the correct install of your site will prevent a lot of problems.
Also regular analysis of access logs from Apache is a must.

hi, and thank you for taking all this time to support me, it is much appreciated.

I meant to say I have moved lib and data out of public_html and into my home directory below www / public access.

I will follow your other instructions, and report back if I have any issues.

I am still not confident in playing with database prefixes, but the rest should be fine.

Ok patched Manfile, with success,


'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.

When using the inbuilt link i get 404 which is good.

'register_globals' : off ok

'allow_url_fopen' : off ok

'session.use_trans_sid' : off ok

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

'mainfile.php' : patched ok


From by view point that's all but database sorted.
and I don't understand enough about what it is saying to play with the database,

what happens when I change the database prefix, does it change the existing ones for me?

are they updated manually through php admin?

AFAIK (never tried myself), Protector will make a copy of all the tables in your database with a new prefix. Then you can adapt mainfile.php to use this second set of tables. After that and when everything works ok, you can delete the original set of tables (with the XOOPS prefix).

Quote:.
I did it couple of times, and didn't have any problems.