Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
utssace
Worker
Worker


Joined: Feb 18, 2006
Posts: 155
Location: Virginia

PostPosted: Tue Aug 22, 2006 6:25 pm Reply with quote

My site is a RN site. I am RN all the way (Gaming Clan Site).

A family member is wanting a site for their small business. Sounds like the content will most likely be simple and static. No need for memberships, and registered users. They like the Joomla look. My concern is security. Nuke is more feature rich but may be overkill for what they want. Of course, I am open to exploring nuke options with them.

My aim is to get Nuker opinions (nukers rock) on the Joomla CMS, especially relating to security. If this discussion is not welcome here, I understand and apoligize.

Thanks for any input Very Happy
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Tue Aug 22, 2006 7:09 pm Reply with quote

well no problem...
but for every need there's a cms... Laughing

because of content and more things that i wanna do my phpnuke database runs now on joomla.
But im still all nuke...

A whole new world opens when you use it...and there aren't any security issues..as long as you dont use vunerable components or modules....
but thats the same as with nuke isnt it.. ?

With all i wanted to do the security backfired and i had to make choices...
so thats why i converted the whole stuff..
as far as i know of the whole joomla core is safe...
bad thing is the support,cause that is completely terrible...
they have the highest rate of topics with 0 replies..
so...as long as you dont have questions or whatever .....
Wink
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Aug 23, 2006 6:03 am Reply with quote

Although I agree that Jooma is a fine CMS, it does have security issues like any other CMS. For example, the latest release is a security release.

Re: Joomla! 1.0.10 (from Joomla.org)
"All existing Joomla! users MUST UPGRADE to this version, due to several High Level vulnerabilities that affect ALL Previous versions of Joomla! "

Interesting point on support - I did not know it was that bad. I suspect it might be related to a huge influx of newbie users. Hopefully over time it will get better.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
hitwalker
PostPosted: Wed Aug 23, 2006 6:14 am Reply with quote

your right kguske,

but even with the security warnings its almost impossible to hack a joomla site,unless you ask for it..(vunerable mods,components)
as for security,sentinel should be in nuke core and not build in as addon...
thats what i think anyway...
and because of the security your hands are tight more and more in doing great stuff with your site and any content you wanna offer/or write..

i have 5 joomla sites running(was mambo first) and thats for about 3 years now...
i never had any problems...

a plus is that you never have to edit files if you wanna install something...(well maybe once...)
Even FB once said that if he had to choose a cms it would be mambo..,but i guess he would choose joomla now..

as for support on the joomla ,well all i see is a lot of 0 replies and moderators/core people that promote theit commercial activities in the signature and dont do that much...
 
kguske
PostPosted: Wed Aug 23, 2006 8:47 am Reply with quote

Lots of things *should* be in the Nuke core...lol. But if you couldn't hack a Joomla site, why did they have a critical security release?

Not sure what you meant by having your hands tied or not being able to offer any content you want. Can you be more specific?

I definitely agree about not having to modify things to install. Makes it easier for everyone...as long as it's supported. I also agree that there are too many commercial addons and not enough open source addons, because, as you know, "open source matters."
Smile
 
hitwalker
PostPosted: Wed Aug 23, 2006 9:17 am Reply with quote

well im no diary person so i cant keep up with things that happen..
sentinel should be in the nuke structure,but now it has to be build in...
difference is,why doesnt joomla require such a huge protection like we need for nuke ?
as i understand its because joomla is written differently..
As with hands tied..
Because of security i cannot publish what i want that easely...
You have to use /install joomla to see the difference..
 
kguske
PostPosted: Wed Aug 23, 2006 10:27 am Reply with quote

I looked at Mambo a while ago. I've seen some of the changes that have been made to Joomla, but you're right - I should take a closer look. As for why it doesn't need the protection, I hope you don't find out the hard way...
 
hitwalker
PostPosted: Wed Aug 23, 2006 10:33 am Reply with quote

i hope so to...
but i keep an eye on everything....
and still have most spam/hack known countries banned...
but enjoy your tryout..
 
kguske
PostPosted: Wed Aug 23, 2006 10:39 am Reply with quote

The question is - when do you sleep? Sorry to get off topic, but man, you are all over the place! Keep up th good work...
 
utssace
PostPosted: Wed Aug 23, 2006 6:06 pm Reply with quote

Thanks guys. It will just be a learning curve for me to make.

I do agree that the support forums show a lot of unanswered questions.

2 things I've learned that make Joomla cumbersome...at least for me:

1) The craziest thing I've noticed is regarding permissions. In order to install templates/modules/extensions/whatever, you have to keep CHMOD'ing directories and files to make them writable @ 777, then CHMOD them back for security. I guess if you forget to tighten down a critical file/directory after an addon, you could easily get hacked.

2) Layouts are not as customizable as in Nuke. If my understanding is right, you have to find a template that already suits your layout (ie. left/right columns & main area)......unless you know how to recode the index & css files. Whereas, Nuke lets you add blocks wherever you want.

I tend to agree about making sentinel part of the core setup for nuke. That's one reason I switched from Nuke to RN because of the integration of the two. Plus, I trust the pros here to patch and make it right. A dream install and set up.
 
hitwalker
PostPosted: Wed Aug 23, 2006 6:11 pm Reply with quote

well you dont have to chmod it back,you cannot address the files itself(like index.php with nuke modules..)
and templates are easy....
just upload the folder into the templates folder and your done..
thats the only one that allows the just upload...
all other things need to be installed...
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Wed Aug 23, 2006 7:17 pm Reply with quote

I have not tried Joomla..but I will soon in an XAMPP environment. I have to say, from looking over their site, and e107's...I like what I see. I'm not trying to start a flame war here, but here is what I have noticed after using PHP-Nuke for 6 months now on a live site.

One man seems to control PHP-Nukes fate. And he is sloppy as h*ll. The code is awful. The code is buggy. It is up to a completely separate group of volunteers to pick up the pieces. These volunteers (Chatserv, Raven, Bob Marion, Evaders, the regulars here, etc, etc) are great, no scratch that, AWESOME, but correct me if I am wrong, they do not communicate with FB. Joomla and e107 have organized core teams to implement features and to design new features.

FB does not even have his own forum to get feedback and gather bug reports. Joomla and e107 have dedicated forums for support and feedback. Is he designing PHP-Nuke 8 in a vacuum? Will it be a big disaster like 7.9?

I haven't looked at Joomla or e107's code base yet....I'm curious to see if they have a better or cleaner architecture or coding style.

Don't get me wrong, I think PHP-Nuke is ground breaking and I sure have enjoyed myself hacking it and learning all about PHP and MySQL. Since becoming an admin 6 months ago, I have written 2 modules for my own site, several blocks, installed and maintained Sentinel, created my own theme, and upgraded my forums. Its not too bad after I have fixed several problems with the code. However I can't help but take a look at what others are doing...and it appears on the surface they are much more organized and have more of a plan for going forward. Who the heck knows what FB is going to unleash on us next?

I am very curious to see how Joomla, e107, and others compare to Nuke when it comes to:

Security
Creating custom themes
Creating Add-Ons (Modules, Blocks)
Managing Content and what they have out of the box for CM
Ease of installation
Ease of administration
How the forums compare to phpBB
Code architecture and coding style
 
View user's profile Send private message
kguske
PostPosted: Wed Aug 23, 2006 7:29 pm Reply with quote

I hear you, but would just point on that there isn't much use in having a team or support forums if there is no support.

One of the reasons why so much flexibility exists with Nuke is that it doesn't force extensive modifications for stuff to work with it. One of the benefits of Mambo / Joomla is also somewhat of a limiting factor: in order to develop a component, you have to make it compatible with the component model. That should improve consistently and definitely simplifies installation, but it's much more involved that developing a Nuke module. Frankly, that's why most of the addons are commercial - people want to get paid to do that much work!
 
Gremmie
PostPosted: Wed Aug 23, 2006 9:28 pm Reply with quote

kguske wrote:
I hear you, but would just point on that there isn't much use in having a team or support forums if there is no support.


True, but doesn't that send up warning flags? These other guys seem to have their act together. They have bug tracking systems in place! In public! For everyone to see! LOL. When I find a bug, I "report" it on some forum I am sure FB never looks at or even cares about. Open source works best when there is community input. I am surprised PHP-Nuke has prospered this long despite the seemingly lack of interest from its main developer. That says a lot about you guys like Raven, Chatserv, Evaders, etc.

kguske wrote:

One of the reasons why so much flexibility exists with Nuke is that it doesn't force extensive modifications for stuff to work with it. One of the benefits of Mambo / Joomla is also somewhat of a limiting factor: in order to develop a component, you have to make it compatible with the component model. That should improve consistently and definitely simplifies installation, but it's much more involved that developing a Nuke module. Frankly, that's why most of the addons are commercial - people want to get paid to do that much work!


Interesting point. I will try to port my Nuke module to a few of these other systems and see what is involved first hand. Do you have any experience with with developing components for these systems?

Sorry if this is drifting off topic or if I have hijacked the thread. Feel free to move it elsewhere.
 
kguske
PostPosted: Wed Aug 23, 2006 9:51 pm Reply with quote

This is an interesting discussion - I think everyone would agree it remains on the topic of another open source CMS.

Regarding the support forums: we obviously agree that phpnuke's official support is nonexistent and that's a problem. That's why we support RavenNuke and other distributions of phpNuke, and any and all modules, tweaks, enhancements, etc. that go with it. Although it isn't public, we use a bug tracker for RavenNuke. These forums are, in a sense, the de facto public bug tracker for RavenNuke. The development and support teams for RavenNuke are either active moderators here or frequent posters, and the key issues get translated into the official bug tracker.

It's usually a good idea to have a clearly defined road map - at least for the short term. PHP-Nuke's high-level surveys and "overviews" of what future releases may contain make me laugh. It reminds me of some commercial vendors...vaporware.

Open source definitely requires commuity input, but there can be problems with that as well. Take the predecessor for Joomla, for instance. Mambo is open source, but the community didn't make the key decisions - the sponsors did. So a group of key developers left to start Joomla. Already, one of the key developers has left Joomla. A similar issue happened with phpBB.

Raven and Montego try to strike a balance between community input and a wealth of experience and knowledge. I'm not saying the people don't know what's good for them, but sometimes it's difficult to see the big picture when all you're concerned about is fixing the problem at hand.

Which brings me back to the issue of support. If something isn't actively supported, it doesn't matter how great it works or how easy it was to install. If you can't count on it being able to change to do what you want tomorrow, you're back to the limiting factor hitwalker described earlier.

I haven't converted any Nuke modules to Mambo / Joomla extensions / components. But I did play around with linking Nuke to SugarCRM, using the Mambo integration as a model (there wasn't much interest in that, so it never went anywhere). Developing for Mambo seemed much more complicated that developing for Nuke, though admittedly I was much more familiar with Nuke. As I mentioned before, the component model enforces easy installation and may improve quality (though that's debatable), but it's a barrier to entry into that market (the commercial developers love that, for sure).
 
hitwalker
PostPosted: Thu Aug 24, 2006 5:14 am Reply with quote

nice continueance of the topic Gremmie,sure its the topic utssace had in mind... Wink

personaly i see mambo with its flaws as phpnuke ,and i see joomla and ravennuke...
i didnt kick out phpnuke,i still run 2(private) nuke sites..,they wont be converted..
but its all about choices...
and @ kguske,joomla has a lot of mods components...and free,but still a lot of stuff is missing.
maybe its not requested.
but i also think that joomla has a different type of users,maybe im wrong...but thats how it looks to me...
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Aug 24, 2006 1:07 pm Reply with quote

How I'd love to see a project running like Joomla's group. Sadly that won't happen with FB and phpNuke. Thus all the attempts at other distributions, forks, etc. As everyone in the Nuke community has their own ideas, its been hard to get together to work on one project. We all have different goals in mind.

I have a personal preference for phpNuke. E107 I have tried, as well as Mambo/Joomla... can't say they are better or worse - just different.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kguske
PostPosted: Thu Aug 24, 2006 2:29 pm Reply with quote

Of course I'm biased, but I think the RavenNuke effort is as close to nirvana as I've seen in the Nuke world. I haven't been involved in other efforts (e.g. PNP, CPG-Nuke, Nuke Evo) but from appearances it seems that may be correct.
 
utssace
PostPosted: Thu Aug 24, 2006 6:34 pm Reply with quote

If it weren't for the Nuke support, I'd probably still be looking at a blank screen.

I started back in January this year with Nuke 7.8. Screw ups and getting hacked about 3 times. NukeCops was great then, but the support there started to diminish (key players stopped coming around). I figured something was up. Then I remembered a response that Evaders99 gave me one time on NukeCops about RavenNuke. I wondered over here and saw the light again.

Here is where the real support for nuke is. The pros are here. When I search a Joomla forum, it's not uncommon to find GREAT questions a month or two old with no responses. So for a dummy like me, that won't work...hehe
 
kguske
PostPosted: Thu Aug 24, 2006 9:27 pm Reply with quote

The only real dummies, IMO, are those that don't try to learn!

There are some great sites for Nuke ideas and support, though some have declined or disappeared over time. I didn't mean to imply that other distributions are bad. Many of the ideas for performance improvements and security came from djMaze (CPG-Nuke) and Technocrat (Nuke Evo) has contributed much in the way of forums mods and other Nuke improvements. What attracted me here was the quality and professionalism that seemed to surround Raven. There are some great people here!

What's really rewarding is to see people start out and get more involved over time - it's amazing how many different ways people contribute!
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Thu Aug 31, 2006 6:40 am Reply with quote

Well after reading through everybodies comments on Joomla I thought I would do some research and I set up a test site.

My initial reaction was that it looked quite slick and reasonably easy to use.

The actual installation was very easy and the installer was good. No need to open a config file and edit the text, it's all run through the browser. It also runs a check before installing to check your server configuration is OK. Raven has done an excellent job on the installer for RavenNuke, but may be this is something to be looked at for the future.

Like Kguske said installing modules is extremely easy and you can upload the module directly in a zip file without using any FTP software. Joomla unzips the file and installs it for you.

On the downside there does appear to be a hell of a lot of commercial products ie. modules, components and templates, but even the free products are of a good standard.

Support is very slow, sometimes you have to be patient, but for instance if you post a question here 95% of the time you get a response within an hour. I tried to install the Gallery 2 bridge for Joomla and hit a couple of snags, so I posted a query yesterday and I'm still waiting. I know most people have full-time jobs, but you can't beat the support you get here.

They do run a forum topic on vulnerable components, which is a good idea. It would be good to have something like that here, but I suspect it might be a long list.

There's loads more I could go into, but I'll save that for another time.

Jakec
 
View user's profile Send private message
evaders99
PostPosted: Thu Aug 31, 2006 11:03 am Reply with quote

The interface looks great and definitely easier for newbeis. But actually creating code and modifying Mambo was tedious... I don't know if Joomla is the same way or not.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Fri Sep 01, 2006 8:33 am Reply with quote

Quote:

They do run a forum topic on vulnerable components, which is a good idea. It would be good to have something like that here, but I suspect it might be a long list.

Unfortunately, I have a feeling that you are correct. I think alot of the problem is developers not staying active on their scripts and not updating them as new patch levels come out and new ways of securing things.

Something to consider, though... Forum that is where others in the community may contribute. But I shudder at the thought on how to moderate such a "beast".

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kguske
PostPosted: Fri Sep 01, 2006 8:40 am Reply with quote

Maybe not... If a security issue is identified on a recognized Nuke support site, the vulnerability status could be changed without argument. Once the developers address the issue, the status would be changed. Basically, establish the rules, communicate the rules, follow the rules...reduces the number of issues.

The severity of vulnerabilities, of course, would be greatly debated - but isn't that debate what makes the community vibrant? Of course, it would increase the need for moderation...montego's point, maybe.
 
montego
PostPosted: Fri Sep 01, 2006 9:47 am Reply with quote

Personally, I have wanted to have a "Safe and Secure Add-Ons" service for a long, long, long time. Would be nice to have some way to "certify" add-ons, especially for RavenNuke, so that we don't have to spend so much time working through so many issues people have with other people's work!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©