We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

Oxwall security issues, management issues etc | Forum

Topic location: Forum home » Support » Bug reports and troubleshooting
DudeHeyDude
DudeHeyDude May 5 '12
Hello. First of all i'm sorry for my english but this is not my native language. Second, this post is not meant to troll or criticize in a bad manner the software and the software creators. Oxwall is a free cms, I respect the work of the coders and i'm not here to criticize them like a smart ass. But there I have some things to say about some bad issues and this is the perfect place.


1. In about 2 minutes of manual searching I found a persistent xss in the last (updated) version of Oxwall and probably they are more out there. Please just use an updated xss evasion cheatsheet (html5sec.org) or at least RSnake's XSS Cheatsheet from ha.ckers.org and sanitize the active content. I bet many of the webmasters that uses oxwall platform allow members to modify their own profile. Right now anyone can inject javascript in their profiles without any problems. So guys, if you are using oxwall uncheck the box from "Allow users to customize this page" (yoursite.com/admin/user-profile), or you can become the victim of an xss attack. You can say that i'm a douche but I am not telling you exactly where the xss is located because this coding mistake is impardonable when it's about the security of the users. You can find it by yourself in few minutes using the hints I gave it to you. It is basic html with basic javascript.


2. The seo part sucks big time. You can make thousands of plugins for seo but the code itself is not seo friendly. 40% of the page is not the generated content itself. When search engine bots crawls the site the first things found are the css and full javascript code. That content is actually considered junk by search engine spiders and the bots starts to ignore the rest of the page because they are programmed to read from the top first and most of the time spiders ignore the rest of the page if they detect junk code. Everyone knows that. It's almost impossible to target the first page in google, yahoo or bing in this way. And the biggest problem is that the 40% of junk code is located in the upper side of the page starting from the end of the header. Please consider that i'm using the term "junk code" only from a seo point of view and I'm aware this code is actually running the functions of the website itself. 


3. As an admin I can't do changes to users accounts. I can't edit profiles, I can't see the ip address, I can't change the passwords, I can't change their e-mail address, I can't change their pics. So what is the role of the admin if I don't have those basic features on my own website? I mean, those features exists in any cms from at least 10 years and they are "a must" in any social platform. Those features should be created from the beggining of a cms platform. I don't understand the logic of those missing features but please at least take a look at phpbb or vbulletin to see what basic features for management you need to add on oxwall.


4. Moderator features are joke same like the admin features.


5. Too many locations for themes files. If I want to change something I need to browse all the folders and to delete the files in three or four places. Caching is a nightmare too. Dev mode/debug mode visible for all the online users at the same time with the admin. Wtf?


From now this I have to say about my 2 days experience with Oxwall. Am I satisfied by this free product? No I'm not, but I consider that it can be better and I will give this platform a shot.  Solve the chaos in the code and implement a real user management and I will pay for this if the freeware version will become obsolete. Untill then I wish to thank you guys for making a free social networking platform and I apologize if I offend you in any way. I know how hard is to develop something from the scratch and sometimes when security issues are present I forget to talk nicely with people.


Greetz from Romania

#1
Purusothaman Ramanujam
Purusothaman Ramanujam May 6 '12
A good analysis from the view of SEO. I am sure the Oxwall Team is working hard to make it better and they will.

The major problem is that people won't get any support or help with oxwall in this forum. I have never got any reply from Oxwall expert in this forum. The only exception is that I got an reply from Sardar after 2 weeks.

This is the important thing to be sorted to make Oxwall better.
#2
Den Team
Den May 17 '12

First of all I prefer to thank DudeHeyDude for objective and reasonable Oxwall review. It's a good way to indicate issues and a rare chance for our team to browse the products outside the camp.


1. Yes, if admin allows users to customize their profile, then a potential XSS hack can be performed. The main reason of allowing JS code usage is a big demand to have an ability for using third party widgets provided by popular web service (gadgets, music players and etc). But we are investigating a third solution which could satisfy both sides. 


2. I believe Search Engines became more smart as a few years ago. In now days such things as a good keyword policy, site content management, increasing page loading give more a lot real results in SEO strategy except the some downsizing JS code on a page. But this is disputable for sure. 


3. This is a useful and customary ability in modern CMS. But it isn't so critical as it can seems. The more important thing at first is to allow suspend/delete illegal user content and notify user about it. But admin/moderator still should has an ability to change user data directly. That's why we decided to implement it later but more useful. We are in process with that :)


4. The same


5. I would be really grateful if you describe your point in details? What changes you tried to perform and what files you had to change? 


Thanks everybody for participation.

The Forum post is edited by Den May 17 '12
#3
Purusothaman Ramanujam
Purusothaman Ramanujam May 17 '12
Google has been smarter than other search engines in terms of ranking the search results based on load time, number of ping backs, top quality links and more.

But still it considers friendly urls as a major point for good site ranking, which is not the case with Oxwall (inbuild feature not available).

If not with google, at least it should be friendly for humans.
#4
Masgan
Masgan Feb 19 '15
how to change url admin of oxwall ? for security ... not   www.mysite.com/admin  ; but www.mysite.com/custom_url
#5
ross Team
ross Feb 19 '15
Masgan, you need to create a separate post with your request,as your request has nothing to do with the topic. This is a custom code modification. You need to create a post here: http://www.oxwall.org/forum/117
#6
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software