Quote:
irmtfan wrote:
i dont know how... even i realy dont believe its a session hijacking ...but someone post with my username (webmaster) in my site forum:
www.jadoogaran.org
my uid=1
i delete the post and ban the poster IP too.
hmmm...
You should clear the true reason up.
Is it really "session hijacking"?
Of course, there are too many XSS or Script Insertion vulnerable modules in XOOPS.
Almost "HTML allowed module" (== ready to use WYSIWYG eidtor module) are vulnerable in Script Insertion.
Have you turn "Groups disallowed IP moving in a session" about Administrators on ?
(in Protector's preferences)
If this is turned on, it is not so easy to hijack your session.
Quote:
hGIjoe i remember your post with the Herko's username a long time ago to show the unsecurity of xoops in that time
now same problem is here.
That was the fatal vulnerability in the XOOPS core.
In version 2.0.9.2, they had been fixed.
Quote:
useing cbb 2.3 ( do you think it is not secure?)
xoops 2.2.4
and protector 2.56 ( im useing protector from its borning time)
autologin for 2.2.4 as well.
I don't know CBB well, sorry.
I know 2.2.3 core has XSS vulnerable in its WYWIWYG Editor.
(I don't know it is fixed in 2.2.4 or not)
If you use XSS or Script Insertions vulnerable modules, using autologin makes your site much danger.
At first, turn autologin off.
And change the password of your account.