Assuring Security by testing

  • Michael Osipov

    Michael Osipov - 2008-05-01

    Hi devs,

    I've been investigating XOOPS within my Bachelor's thesis
    of security test tools in open source" at the Free University of Berlin
    (FU Berlin) [1].
    Basically, I am looking for security measures which have been taken to
    prevent security leaks/vulnerabilities especially with security test

    So far, I have search the repository, the homepage
    and the mailing list. The homepage and mailing list revealed no information at all.

    How do you prevent from vulnerabilities most PHP projects (turn off
    "register_globals") except suffer like SQL injection, XSS and so forth?
    How does you framework guarantee protection stated in point 3?
    Does your security team or any other group/person take any measures to
    assure security with
    testing tools, with a special test plan or functional requirements?

    Additionally, there seems to be some great fuzzers out there for website
    testing and SQL injection like Wfuzz or Absinthe.

    Thanks in advance,



    • Ashley

      Ashley - 2008-05-02


      Although Xoops is reasonably secure in and of itself, most of the work in this area has been done by a developer called GIJOE with an addon module for Xoops called Protector which these days is sort of a de rigour install for any Xoops site. You can find Protector at

      Another module, NetQuery by Richard Virtue at provides primarily network tools but importantly also a spambot guardian.

      As to what the core dev team do for process and procedure, thats a mystery to me :-)


      • Michael Osipov

        Michael Osipov - 2008-05-03


        thanks for your input. Do you mean that Xoops is reasonably safe due to the deployment of Protector? I've found some references on it and it seems to be some silver bullet.
        You never can be 100 % secure. Is there any test method to check what Protector is securing? Any tools used for?

        NetQuery does not seem to provide the same security goals Protector does.


    • D.J.

      D.J. - 2008-05-03

      Dear Michael,

      In XOOPS core, there are some mechanism dealing with SQL injection and XSS.
      There are some guides for third-party module developers to ensure security for their modules. Most of them are posted on forums and wiki pages randomly, not well organized. I am planning an article on XOOPS security considerations for developers.

      Protector by GIJOE has been a very useful module to provide protections against a variety of attacks, and it has been recommended by XOOPS dev team to webmasters. Meanwhile, most of the features in Protector will be adopted into XOOPS 3.0 core.

      If you need any more specific information, please let us know.



Log in to post a comment.