Do you think that it is possible to write a module for scanning Xoops modules in order to detect security leaks?

I am not very skilled in writing Xoops modules, so I am not aware of all the possible traps.

Perhaps this idea is interesting for those responsible of Xoops's security?

hi frankblack.

it is not easy to find security holes in some modules automatically, I think.

For example, although we know that the vulnerablity of SQL Injection is caused by forgot sanitizing requests, We can't make the forgot pattern in the php codes easily.

On the other hand, protecting SQL Injection is not so difficult.
Because It is enough to check all requests before parsing common.php.

Thus, I recommend "Xoops Protector" to all XOOPSers with confidence.

Perhaps you will find this script interesting.

It is only for phpNuke, but it seems to analyze various things. But on the other hand it is not very clever to publish a public available script which shows security leaks in a cms.

I know that you are aware of security things regarding Xoops. Maybe you want to make a list of things to obey while developing modules and share this with the community?

hi frankblack.

I'm sorry that my answer is too late.
Quote:I've checked the Nuke module(?) now.
But I can't find value codes from the script.

It can't find security holes at all.
It only checks the version numbers of PHP,MySQL,NukeCore.

Quote:I learnt security things from Jun Moriya (JM2) as a core member of XOOPS1.
I can share my knowledgement if I'm skilled not only PHP codes but also English