World of Longplays
from XOOPS Project
(2009/1/17 5:00)
|
World of Longplays is a new gaming site using Xoops. The site is hosting full video walkthroughs of computer and video games. Xoops version: 2.0.18.2 Theme: Modified version of APH001 by Ap3ex Design Modules: News, Forum, XoopsPoll, Mylinks, Donations, Shoutbox, CBB, TinyD. Avaman, Protector www.longplays.net
|
Free Xoops Theme Sinnedesign-008-blue
from XOOPS Project
(2009/1/16 23:00)
|
Dear Xoopser, I happy to present you my new xoops theme Sinnedesign-008-blue . The new free Xoops Theme is sinnedesign-008-blue . Here is the Free Downloadlink Download Xoops Theme Sinnedesign-008-Blue . If you have questions, feel you free and write me in the sinnedesign theme forum. I hope you like my Theme, have fun and nice weekend. Your Sinnedesign
|
Big Umbrella Anti-SQL-Injection (3)
from PEAK XOOPS
(2009/1/16 5:07)
|
We have to know comparing doubtful requests and all SQLs in the DB Layer have to pay not a few CPU band.
Then, we can override the DB Layer only whenattackable requestshas come.Almost all HTTP requests never have suchattackable requests.This logic make it compatible the speed and the security.My protector findattackable requestsby this pattern (perl regex formatted):[code]/(information_schema|select|'|)/i[/code]'andcan break the pair of quatations.select allows attackers to access the other tables.On the other hand, it ignores union because it has non-sense without select.
Marks starting commatation like (/* , -- or #) are ignored too.
Such marks can get their meaning only when the pair of quatitions are broken.
And $_SERVER['HTTP_ACCEPT'] often incldues a string like'*/*'.Let's go to the logic of the method query() of the Protector's DB Layer.query() comparesattackable requestsand all SQLs.There are two patterns of vulnerabilities against SQL Injection.
(1) a string missing to escap ...
|
Big Umbrella Anti-SQL-Injection (3)
from PEAK XOOPS
(2009/1/16 5:07)
|
We have to know comparing doubtful requests and all SQLs in the DB Layer have to pay not a few CPU band.
Then, we can override the DB Layer only when"attackable requests"has come.Almost all HTTP requests never have such"attackable requests".This logic make it compatible the speed and the security.Let's go to the logic of the method query() of the Protector's DB Layer.query() compares"attackable requests"and all SQLs.There are two patterns of vulnerabilities against SQL Injection.
(1) a string missing to escape (the string is origined from a request)
eg)
SELECT ... FROM `table` WHERE `varchar_column`='(string_missing_to_escape)'(2) a request placed into SQL as is
eg)
SELECT ... FROM `table` WHERE `integer_column`=(request)
SELECT ... FROM `table` WHERE ... ORDER BY (request)
This logic can protect almost all vulnerabilities like (1).
- list requests having'or"up- compare all SQLs and the listed requests- if a SQL includes one of the listed requests, stop it.Because'or"should be esca ...
|
Kimokea Krav Maga, Belgium on Xoops
from XOOPS Project
(2009/1/15 19:10)
|
I made a small site Based on a Xoopsdesign.com Theme (makes life easier) for Kimokea, a Krav Maga school in Antwerp, Belgium. Kimokea Krav Maga School Just a few modules: news, contact and AMS.
|
Big Umbrella Anti-SQL-Injection (2)
from PEAK XOOPS
(2009/1/15 16:12)
|
To Compare request and SQL, we have to override DB layer.
With XOOPS, this will be implemented as a modification for databasefactory.php because the database factory class looks too rigid.
This is my modification.
It might be not the best way, but better way for adopted by each core teams of XOOPS forks/folks.
class/database/databasefactory.php
[code]
require_once $file;
/* patch from */
if ( defined('XOOPS_DB_ALTERNATIVE')class_exists( XOOPS_DB_ALTERNATIVE ) ) {$class = XOOPS_DB_ALTERNATIVE ;} else /* patch to */if (!defined('XOOPS_DB_PROXY')) {$class ='Xoops'.ucfirst(XOOPS_DB_TYPE).'DatabaseSafe';} else {$class ='Xoops'.ucfirst(XOOPS_DB_TYPE).'DatabaseProxy';}$instance =new $class();[/code]hi minahito, marcan, and phppp.
I've made the patch can be accepted for you.Please consider it. :-)At the next article, I will discuss about the condition when the db layer must be overridden, and the logic comparing requests and SQL.
|
Big Umbrella Anti-SQL-Injection (2)
from PEAK XOOPS
(2009/1/15 16:12)
|
To Compare request and SQL, we have to override DB layer.
With XOOPS, this will be implemented as a modification for databasefactory.php because the database factory class looks too rigid.
This is my modification.
It might be not the best way, but better way for adopted by each core teams of XOOPS forks/folks.
class/database/databasefactory.php
[code]
require_once $file;
/* patch from */
if ( defined('XOOPS_DB_ALTERNATIVE')&&class_exists( XOOPS_DB_ALTERNATIVE ) ) {$class = XOOPS_DB_ALTERNATIVE ;} else /* patch to */if (!defined('XOOPS_DB_PROXY')) {$class ='Xoops'.ucfirst(XOOPS_DB_TYPE).'DatabaseSafe';} else {$class ='Xoops'.ucfirst(XOOPS_DB_TYPE).'DatabaseProxy';}$instance =&new $class();[/code]hi minahito, marcan, and phppp.
I've made the patch can be accepted for you.Please consider it. :-)At the next article, I will discuss about the condition when the db layer must be overridden, and the logic comparing requests and SQL.
|
Free Theme for Xoops
from XOOPS Project
(2009/1/13 20:30)
|
Dear Xoops Community, today I want to introduce you my new Xoops Theme sinnedesign-004-green imagine. This design is a green color from the Theme sinnedesign-004-red . The free download of the theme will get your under Download Xoops Theme Sinnedesign-004-Green I wish you much fun with the theme. Your Sinnedesign
|
VideoTube 1.83 Update
from XOOPS Project
(2009/1/13 15:00)
|
This beta release contains two bug fixes and one additional feature. The first bug was introduced in version 1.82 where we missed adding x offset and y offset parameters when selecting NEXT or BACK buttons on YouTube search results page. The other bug fix has been a long standing issue in which special characters in other languages such as Hebrew, Chinese, etc appear as UTF codes (%uXXXX%) instead of actual characters on YouTube search. The problem turned out to be an extra escape command line in the javascript that was created for troubleshooting. We just forgot to remove it when troubleshooting was completed. The new feature is the addition of a preference parameter so you can define the number of inferred subcategories to be displayed under current categories when category display type is set to Advanced. Since these are beta releases and we are putting out updates as soon as bug fixes are completed, I have decided to simply post them on Custom Virtual Designs site. We will only ...
|
VideoTube v1.82 Update
from XOOPS Project
(2009/1/12 0:10)
|
For those who attempted to use the Video Tube v1.81 release and experienced problems, we have now corrected the bugs that were introduced in this release. Many of you experienced blank page displays. This was due to the use of XoopsTree class within the module that caused conflicts. This issue has now been resolved. There were also some category bugs that prevented edits to videos from working properly. These issues have been resolved as well. This update does introduce one more new feature. Positioning of the Video Preview on search result screens now appears near the video thumbnail whenever a thumbnail is selected. This was accomplished by capturing the mouse pointer coordinates when a thumbnail is clicked, then using these coordinates for positioning of the Video Preview. This new feature has been verified in both MSIE and FireFox, as FireFox handles events differently than IE.
|