PEAK XOOPS - Re: my session hijacked? in englishin japanese

Top > XOOPS Modules >Protector >my session hijacked?

Re: my session hijacked?

List posts in the topic

question Re: my session hijacked?

msg# 1.1
depth:
1
Previous post - Next post | Parent - Children.1 | Posted on 2006/5/10 16:30
GIJOE  ÀèǤ·³Áâ   Posts: 4110
Quote:
irmtfan wrote:
i dont know how... even i realy dont believe its a session hijacking ...but someone post with my username (webmaster) in my site forum:
www.jadoogaran.org

my uid=1
i delete the post and ban the poster IP too.
hmmm...
You should clear the true reason up.
Is it really "session hijacking"?

Of course, there are too many XSS or Script Insertion vulnerable modules in XOOPS.

Almost "HTML allowed module" (== ready to use WYSIWYG eidtor module) are vulnerable in Script Insertion.

Have you turn "Groups disallowed IP moving in a session" about Administrators on ?
(in Protector's preferences)

If this is turned on, it is not so easy to hijack your session.


Quote:
hGIjoe i remember your post with the Herko's username a long time ago to show the unsecurity of xoops in that time
now same problem is here.
That was the fatal vulnerability in the XOOPS core.
In version 2.0.9.2, they had been fixed.

Quote:
useing cbb 2.3 ( do you think it is not secure?)
xoops 2.2.4
and protector 2.56 ( im useing protector from its borning time)
autologin for 2.2.4 as well.
I don't know CBB well, sorry.
I know 2.2.3 core has XSS vulnerable in its WYWIWYG Editor.
(I don't know it is fixed in 2.2.4 or not)

If you use XSS or Script Insertions vulnerable modules, using autologin makes your site much danger.

At first, turn autologin off.
And change the password of your account.

Votes:5 Average:10.00

Posts tree

  Advanced search

Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!