PEAK XOOPS - Structural defect of XOOPS-2.3.2 from xoops.org in englishin japanese

Archive | RSS |
XOOPS
XOOPS : Structural defect of XOOPS-2.3.2 from xoops.org
Poster : GIJOE on 2009-01-09 13:09:35 (13266 reads)

in englishin japanese
I've shocked just by looking inside of the archive of xoops-2.3.2b.

They put XOOPS_TRUST_PATH folder inside htdocs/ !
(They renamed xoops_trust_path into xoops_lib. this fact also shows us they didnot understand the meaning of XOOPS_TRUST_PATH)
Moreover, there are no .htaccess under the folder xoops_lib/

I suspect my eyes.

mamba had reported LFI in the file under XOOPS_TRUST_PATH.
This is another evidence they cannot understand the meaning of inside/outside DocumentRoot.

When mamba said "I fixes Protector", I replied "Such a patch is non-sense".

This report proves mamba's patch was just non-sense.
http://www.milw0rm.com/exploits/7705

You should interpret the report is not an exploit of Protector itself but just XOOPS-2.3.2.

Anyway, phppp and developpers of xoops.org should do right now:

Put xoops_lib(XOOPS_TRUST_PATH) ouside of htdocs.
Learn the meanining of inside/outside DocumentRoot.
Read how to install Protector V3 again and again!

If you cannot do that or cannot understand what I mean, remove Protector from your archive.

Your wrong structure of the archive gave me pain.

My module -Protector- is useful for protecting all XOOPS forks/folks from maricious attacks as long as the module is installed rightly.


Related articles
Printer friendly page Send this story to a friend

Comments list

leco1  Posted on 2009/1/13 21:21
GIJOE

Thank you for your insightful arguments.

I user XOOPS for a long time and think he has improved a lot in version 2.3.x.

Obviously, if their arguments were posted in xoops.org, this would contribute immensely to the correct use of this program by users beginners.

Thanks
GIJOE  Posted on 2009/1/13 13:39 | Last modified
Quote:

leco1 wrotes:
See this article:

A Guide to Make your XOOPS Installation even more secure

http://www.xoops.org/modules/news/article.php?storyid=4601
My answer is the same as [1.2]


NG
structural insecure archive working monor and bad environments also
with instructions how to use the application securely

OK
structural secure archive working major and good environments only
with instructions how to use the application with monor and bad environments
GIJOE  Posted on 2009/1/13 13:32
hi leco.

Quote:

Please, read this inside release_notes in pack xoops 232b:
I've just found it.
But this is not the point of the structural defect.
Just check the archive itself.
htdocs/
       mainfile.php
       (etc)
       xoops_lib/
                 modules/
                         protector
should be
htdocs/
       mainfile.php
       (etc)
xoops_lib/
          modules/
                  protector

Of course, "xoops_lib" sounds bad.
Perhaps, they cannot imagine how long I pondered the folder's name should be placed outside of DocumentRoot.

I've considered XOOPS_HIDDEN_PATH, XOOPS_OUTSIDE_PATH, DONT_PLACE_IT_IN_DOCROOT, and so on...

I finally determined the name as XOOPS_TRUST_PATH sice minahito suggested a good word "TRUST".


Quote:
Furthermore, they published a tutorial that explains how to remove the folders on htdocs.
All they have to do is just moving xoops_lib outside of htdocs.
(I also recommend they rename it into "xoops_trust_path")

After this, they can write a tutorial how to place xoops_lib inside htdocs for some hosting services don't allow to put files outside of htdocs.

Quote:
Obviously there are good modules as news, smartsections, article and xgal.
I cannot understand what you mean by this sentence.
leco1  Posted on 2009/1/12 20:10
See this article:

A Guide to Make your XOOPS Installation even more secure

http://www.xoops.org/modules/news/article.php?storyid=4601
leco1  Posted on 2009/1/9 21:10
GIJOE

Please, read this inside release_notes in pack xoops 232b:


Installing XOOPS 2.3.2
-----------------------------------

1. Copy the content of the htdocs/ folder where it can be accessed by your server
2. Ensure mainfile.php and uploads/ are writable by the web server
3. For security considerations, you are encouraged to move directories "/xoops_lib" (for XOOPS libraries) and "/xoops_data" (for XOOPS data) out of document root, or even change the folder names.
4. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable.
5. Access the folder where you installed the htdocs/ files using your web browser to launch the installation wizard

Installing Protector in XOOPS 2.3.2
-----------------------------------
We also highly recommend the installation of the PROTECTOR module which will bring additional security protection and logging capabilities to your site:

To install Protector module for the first time with a new installation of XOOPS 2.3.2, copy /extras/mainfile.dist.php.protector to /htdocs/mainfile.dist.php BEFORE installing XOOPS.

If you are upgrading an existing XOOPS Website (see below how to do it), and Protector is already installed there, copy /extras/mainfile.dist.php.protector to /upgrade/upd-2.0.18-to-2.3.0/mainfile.dist.php BEFORE upgrading XOOPS.

Furthermore, they published a tutorial that explains how to remove the folders on htdocs.

Although the modules made by xoopers are very weak, the latest 2.3.x series evolved significantly and facilitated use of its modules.

Obviously there are good modules as news, smartsections, article and xgal.

Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!