MarcoFR/Ackbar:

I've noticed this group, and think it's a great project. Unfortunatly they are so fresh, that their site doesn't contain much info.

In some ways intersting, I found this link they provided to the PHP Manual Security pages, which displays the main problem with security and app development: [the developer! Meaning, one can provide the best information, and still people wont implement, what has been pointed out.

DonXoops:

And yes, no matter what we will be doing to the core, the vulnerability is with 3'rd party modules. Especially as people like myself, use XOOPS as means to teach themselves web application development skills.


Thankfully, two new XOOPS projects (at least this is the impression I have), will most likely assist us with this problem (eleviating most of the need for luck; we still need it though, to get the people together to take care of the accompaning workload ):
- Security Group
- Quality Control

To keep up a positivist attitude, I believe there are a couple of other things we could do.

1) on dev.xoops.org wiki, have a page dedicated to "basic security measures" when developing, such as checking all input, never to use "Globals On", etc..., with a link placed amongst all those other "Manuals"

2) have a special forum on dev.xoops.org dedicated to security questions ("hey guys, could you look at this code, and point out any possible security risks?" "Ahh, this might be an offender" "Why" "well....." -> discussion)


Too often do dev's believe, thought once about security, job done. Reality suggests, that checking security is an ongoing issue, which is difficult to implement as dev, as our interest lays first with getting a certain task done, then we worry about how it looks and works, the period at which thoughts regarding security usually/might kick in.

There is no 100% security, but there is 100% security awareness, which we should strive for. And judging by this thread, we are on the right path

Don't forget to push module developers to think secure too. 3rd party mods are the weakest links.

So Protector is making it into the core. Hopefully with more docs and much easier maintenance. Example is if you enable it without thinking you just might end up with hundreds of pages of "violations" that might actually be your own users doing normal things. Tedious trying to filter the real violations from normal and then trying to delete the logs. Enable a mod like chat and you'll instantly get violations. And those violations all appear as anonymous even with the users logged in. Disabling the Protector block for registered users doesn't help, I guess it is the mainfile.php pre/postcheck lines.

good luck folks.

I read this last week, and found it to be a very good primer on 'thinking secure' in development.

PHP Security Consortium is born
----> you will find their first publication The PHP Security Guide (free download)
perhaps a way to increase our security knowledge ?
http://phpsec.org/
just my 2cnt...
bye
marco

Yeap, progress is being made on 2.0.10, as Onokazu announced yesterday on the sourceforge developers forum.

From his posting:
Quote:

So yes, members who recieved "little thank yous" from the community, are trying to pay us back (not that they needed to, but thats just the type of guys they are)

Hope people find this informative.....

of course they have bothered!! why wouldn't they have?

what has been done? well the protector module helps, and if you read the rest of the pages you'd know that protector will be integrated into the core. other things have been done, 2.0.7.3 included lots of security related fixes, XOOPS 2.0.9.2 also improved more on security..

underlying problem? well nothing is 100% secure, you fix 1 security issue and some1 always finds another way to circumvent it.. try downloading the source yourself, look at it, and if you spot any issues then report them in the proper manner (that's if you're capable and knowledgeable to do so) it's not an easy task to spot flaws.. and well this last 2 weeks alone as seen more seen security issues related to apache, and other other server software etc.. so nobody is perfect in their programming..

it's alright for you to say what is being done about it and to be honest i don't know how you can actually say that nothing is being done about it or make a remark about whether the core team have bothered to do anything about it.. and btw nobody here calls themself a 733t coder

if you have some suggestions then suggest them. i'm sure the dev site and the sourceforge will give ou more info if you bother to read them before making your presumptions.

if a security issue wasn't known to the team then how the hell can they fix it, security is high on the priority list and always has been.

Quote:

Sure, just like MS Windows, eh?

The huge advantage of open source is that *anyone* can look at it, and if they find a security problem, not only can they tell everyone else, the discoverer can *fix* it (or at least tell someone else who can fix it). And then the fix will be distributed to the rest of the community quickly.

No lobbying to get laws passed to prevent publication of security issues; no delaying patch distribution because admitting there's a problem might interfere with a Marketing campaign - just find it, fix it, and fling it out there.

So, all you 733t coders, if you know there's a problem What have you done about fixing it? Producing Protector is great, but it is not the same as fixing the underlying problem. Herko isn't the only Core Team member; how have you contacted the rest of them? Or have you bothered?

lmao.. i guess you're having a day full of sarcasm then today Don?

can't tell from here.

Yogi Bera: "It ain't over till it's over"
Yogi Bear: "Let's go look for some pic-ci-nic baskets"

any progress for XOOPS core v2.0.10, anyone can tell...?