Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Assuring Security by testing

2008-05-01
2012-09-25
  • Michael Osipov
    Michael Osipov
    2008-05-01

    Hi devs,

    I've been investigating XOOPS within my Bachelor's thesis
    "Application
    of security test tools in open source" at the Free University of Berlin
    (FU Berlin) [1].
    Basically, I am looking for security measures which have been taken to
    prevent security leaks/vulnerabilities especially with security test
    tools

    So far, I have search the repository, the homepage
    and the mailing list. The homepage and mailing list revealed no information at all.

    How do you prevent from vulnerabilities most PHP projects (turn off
    "register_globals") except suffer like SQL injection, XSS and so forth?
    How does you framework guarantee protection stated in point 3?
    Does your security team or any other group/person take any measures to
    assure security with
    testing tools, with a special test plan or functional requirements?

    Additionally, there seems to be some great fuzzers out there for website
    testing and SQL injection like Wfuzz or Absinthe.

    Thanks in advance,

    Michael

    [1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools

     
    • Ashley
      Ashley
      2008-05-02

      Michael

      Although Xoops is reasonably secure in and of itself, most of the work in this area has been done by a developer called GIJOE with an addon module for Xoops called Protector which these days is sort of a de rigour install for any Xoops site. You can find Protector at http://xoops.peak.ne.jp/

      Another module, NetQuery by Richard Virtue at http://virtech.org/ provides primarily network tools but importantly also a spambot guardian.

      As to what the core dev team do for process and procedure, thats a mystery to me :-)

      Regards
      A

       
      • Michael Osipov
        Michael Osipov
        2008-05-03

        Ashley,

        thanks for your input. Do you mean that Xoops is reasonably safe due to the deployment of Protector? I've found some references on it and it seems to be some silver bullet.
        You never can be 100 % secure. Is there any test method to check what Protector is securing? Any tools used for?

        NetQuery does not seem to provide the same security goals Protector does.

        Mike

         
    • D.J.
      D.J.
      2008-05-03

      Dear Michael,

      In XOOPS core, there are some mechanism dealing with SQL injection and XSS.
      There are some guides for third-party module developers to ensure security for their modules. Most of them are posted on xoops.org forums and wiki pages randomly, not well organized. I am planning an article on XOOPS security considerations for developers.

      Protector by GIJOE has been a very useful module to provide protections against a variety of attacks, and it has been recommended by XOOPS dev team to webmasters. Meanwhile, most of the features in Protector will be adopted into XOOPS 3.0 core.

      If you need any more specific information, please let us know.

      D.J.