I've been investigating XOOPS within my Bachelor's thesis
of security test tools in open source" at the Free University of Berlin
(FU Berlin) .
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test
So far, I have search the repository, the homepage
and the mailing list. The homepage and mailing list revealed no information at all.
How do you prevent from vulnerabilities most PHP projects (turn off
"register_globals") except suffer like SQL injection, XSS and so forth?
How does you framework guarantee protection stated in point 3?
Does your security team or any other group/person take any measures to
assure security with
testing tools, with a special test plan or functional requirements?
Additionally, there seems to be some great fuzzers out there for website
testing and SQL injection like Wfuzz or Absinthe.
Thanks in advance,
Although Xoops is reasonably secure in and of itself, most of the work in this area has been done by a developer called GIJOE with an addon module for Xoops called Protector which these days is sort of a de rigour install for any Xoops site. You can find Protector at http://xoops.peak.ne.jp/
Another module, NetQuery by Richard Virtue at http://virtech.org/ provides primarily network tools but importantly also a spambot guardian.
As to what the core dev team do for process and procedure, thats a mystery to me :-)
thanks for your input. Do you mean that Xoops is reasonably safe due to the deployment of Protector? I've found some references on it and it seems to be some silver bullet.
You never can be 100 % secure. Is there any test method to check what Protector is securing? Any tools used for?
NetQuery does not seem to provide the same security goals Protector does.
In XOOPS core, there are some mechanism dealing with SQL injection and XSS.
There are some guides for third-party module developers to ensure security for their modules. Most of them are posted on xoops.org forums and wiki pages randomly, not well organized. I am planning an article on XOOPS security considerations for developers.
Protector by GIJOE has been a very useful module to provide protections against a variety of attacks, and it has been recommended by XOOPS dev team to webmasters. Meanwhile, most of the features in Protector will be adopted into XOOPS 3.0 core.
If you need any more specific information, please let us know.