Jump to Main Content
XOOPS Protector

Author Me Date 2008/12/12

The XOOPS Protector Module protects from DOS, SQL injection, and a number of other related attacks. This is a must-install module. As of XOOPS 2.3.x, it's included in the installation files, but you will want to get the latest and keep it updated.



Latest version: 3.22 | Website

Features

This module can help protect the following vulnerabilities

  • DoS
  • Bad Crawlers (like bots collecting e-mails...)
  • SQL Injection
  • XSS (not all though)
  • System globals pollution
  • Session hi-jacking
  • Null-bytes
  • Directory Traversal
  • Some kind of CSRF (fatal in XOOPS <= 2.0.9.2)
  • Brute Force
  • Camouflaged Image File Uploading (== IE Content-Type XSS)
  • Executable File Uploading Attack
  • XMLRPC's eval() and SQL Injection Attacks
  • SPAMs for comment, trackback etc.

Installation

Fresh Install

You must edit the mainfile.php with the code below if you are installing Protector to an existing XOOPS installation without protector. When you decompress the archive, you will have a standard modules set of files and another set that goes in a trusted directory (preferably outside of the root of your web-docs). Copy those trusted path files to a non-web-accessible directory, per instructions. Edit the mainfile to include the following line (adds the precheck and the postcheck):

//XOOPS Protector EDIT START
include( XOOPS_TRUST_PATH . '/modules/protector/include/precheck.inc.php' );
if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {
include XOOPS_ROOT_PATH."/include/common.php";
}
include(XOOPS_TRUST_PATH . '/modules/protector/include/postcheck.inc.php');
//XOOPS Protector EDIT END

Install the module per standard XOOPS module installation using the administration console.

Upgrade

There may be some files in the TRUST_PATH files that you may want to keep. Do a diff to make sure before you upgrade and lose defined filters and such. And/or backup a copy of the files as usual. Otherwise, copy the files to the modules and trusted path and then update the module in the administrator. This pertains to any upgrade from version 3.0 to current. Upgrades from version 2.0 to current requires some changes to the mainfile inserts as the file organization changed.

Configuration

Set the preferences as desired. Check out the Security Advisory in the administration section of the module. Make changes as appropriate (this may have undesired effects on modules). If you use phpsuexec or suphp, you won't be able to implement the .htaccess solution suggested by this module. Most well-performing sites now use one or the other of these.

Recovery

Banned IPs are kept in TRUST_PATH/modules/protector/configs/badipsXXXX. If you get locked out, edit/delete this as appropriate.


Post Comment
Comment Rules*
Auto Approval for Registrants
Title*
Msg Icon*
             
Message*
URL Email Images Inside images Smiley Flash _XOOPS_FORM_ALTYOUTUBE Source code Quote

Bold Italic Underline Linethrough  Left Center Right  


Click the Preview to see the content in action.
Options*
Enable Smiley Icons 
Enable XOOPS Codes (BBCode) 
Auto wrap lines 
Confirmation Code*

Click to refresh the image if it is not clear enough.


Input letters in the image
The code is case-insensitive
 
Login
User

Pass

Remember me


Secure Login

Lost Password?

Register now!
  

 

 

(c) 2006-2007 - Mark Boyden
Privacy - Legal Stuff - Contacts