Menu
▾
▴
Re: [Xoops-development] newbb minor bug
|
From: R. M. v. D. <mv...@ca...> - 2003-07-09 17:36:48
|
On Wed, 9 Jul 2003, K. Ono wrote:
> Hi Chapi,
>
> Sure, but unfortunately I do not have the time to look into them all.
> If possible, I would like somebody very familiar with XSS and related
> security vulnerabilities to take a look at the codes.
>
> There are really many hacks/modules that look very interesting and should be
> integrated to the core, but that's not very esay since some of them lack
> making the codes
> secure enough. It is very easy to secure them once they are found, but it is
> really easily
> forgotten as well. One little cross site scripting hole requires another
> 2.0.x. ;-)
I think all 'xss' vulnerabilities can be addressed simply by placing
the construct:
if (!defined('XOOPS_ROOT_PATH')) {
exit();
}
at the top of any file which is not meant to be called directly. (As is
done in xoops core now.) Or is this too simplistic a view of the issue?
Other vulnerabilities need to be checked as well... e.g. all the
queries must be checked that any strings coming from GET/POST/etc args are
properly 'escaped/quoted' to prevent 'sql injection' attacks. Also the
codes must be check that there are no 'register_globals' vulnerabilities,
and also that it works with 'register_globals' set to 'off'.
If I have some time I can start to look at some of these. Are there any
hacks which should receive priority... i.e. most useful/desired in the
community?
Best regards,
Mike
|
