Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Leomania
New Member
New Member


Joined: May 23, 2005
Posts: 10

PostPosted: Mon May 23, 2005 7:31 pm Reply with quote

A posting today by BobMarion on NukeScripts:

Quote:
Due to the high level of scripting and security issues that go hand in hand with phpBB and nuke I have closed the Forums and Private Messages modules.

I've been building up a site offline with a couple of partners that I hope to be a popular site eventually. As such, it may be all the more attractive a target for hacking. But I don't have Bob's technical abilities when it comes to security issues; it he can't keep on top of it, what chance to the rest of us have of keeping our phpBB-based sites up?

No intent to go off the deep end here; I'm genuinely interested in hearing what folks think of Bob's stated reason for closing the forums.
 
View user's profile Send private message
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Tue May 24, 2005 8:30 am Reply with quote

Bob's reasons are correct.

OpenSource means everyone can see it and everyone can find security issues. If a vulnerability is found the developers should fix the issue within 1-2 weeks and provide the fix to their customers.
Since FB cares less about this, you rely on Chatserv, Raven and Bob to provide the fixes.
Since they work and do this in their spare time and they run websites themselves to maintain, there will be no space left for holidays and beer.

To fix this, bob just turns off the security sensitive modules to gain more free time. There's nothing wrong with that.

Leomania wrote:
I've been building up a site offline with a couple of partners that I hope to be a popular site eventually. As such, it may be all the more attractive a target for hacking.

Shure it will, but what do you want to about it ?
Donate $1000 a month so someone can work on the system as day job ?
 
View user's profile Send private message Visit poster's website
Leomania
PostPosted: Tue May 24, 2005 9:38 am Reply with quote

Quote:
Since they work and do this in their spare time and they run websites themselves to maintain, there will be no space left for holidays and beer.

Hey, beer is important -- and I'll be among the first to say so. Still, if phpBB as part of PHP-Nuke is so insecure as to be a significant draw on his time, how would anyone else hoping to use the software be able to do any better?

The number of sites providing some levels of support for PHP-Nuke amazes me; I am doing my best to educate myself so I can make my site as secure as possible and prepare for a possible security breach. Still, there's far more than I can possibly know given that I too have a day job. So it's a bit unnerving to have a knowledgeable guy like Bob pull the plug on the forums.

I have seen some posts from people saying things like, "move your config.php, I'll find it within five minutes. Rename your tables, won't help one bit." I always thought it was bravado, but perhaps there are folks who know enough about the innards of Nuke and/or phpBB that it's legit, and I should just expect a hack at some point. Not a comforting thought.

Quote:
Shure it will, but what do you want to about it? Donate $1000 a month so someone can work on the system as day job?

Want? No, that wouldn't be what I would want to do. Contribute to the folks who help make the software more secure? You bet. I've contributed to chatserv, and need to follow up with some fundage for raven and Bob (and FB, whom I realize I have overlooked).

I understand that no software can ever be 100% secure, but perhaps the security situation is even worse than I had prepared myself for it to be; I guess I'm just bummed about it.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue May 24, 2005 10:37 am Reply with quote

Imo, there is no reason to be a fatalist about this Smile. Look at Only registered users can see links on this board! Get registered or login! when you get a chance. You will see applications and operating systems that are tried and true and yet, guess what? They continue to find security issues with them. You would have to turn your PC off permanently to be rid of any threat. My point? The older and more mature our applications get, the more stable they should become. Will they ever reach a no security issue stage? I can't say. But, I do know that by using NukeSentinel (shameless plug) and some .htaccess and Apache hardening, I honestly do sleep better at night. Other exploits can and WILL appear. We take it one day/hour/minute/second at a time and offer blood sacrifices as often as we can Wink


Last edited by Raven on Tue May 24, 2005 2:12 pm; edited 1 time in total 
View user's profile Send private message
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Tue May 24, 2005 10:48 am Reply with quote

Let me express something here, NukeScripts does not run on a pure PHP-Nuke system and hasn't since the early days. My site doesnt have a modules.php file for example. Becasue of all the "NSNized" fixes and tweaks, I have issues that are strictly exclusive to my site. Do not judge phpBB based solely on my locking them down.

phpBB has always been a thorn in my side when it comes to nuke, I have said it before and I'll say it again, PHP-Nuke should have never forced phpBB on the community. Chat does one hell of a job patching and securing the port but as a port it has inherint flaws that will cause issues. My problem and the reason for locking up the forums and private messages were they were/are breaking the rest of my site.

As for mr. burzi, let's just say he and I agree that we hate each other and leave it at that.

phpBB is a good system, so don't get me wrong, I just don't like it inside of nuke.

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Leomania
PostPosted: Tue May 24, 2005 2:58 pm Reply with quote

raven wrote:
Imo, there is no reason to be a fatalist about this Smile

LOL... that wasn't where I was coming from, but I see why it looks that way. I had simply thought that phpBB wasn't so problematic as to require shutting it off for such a knowledgeable user.

BobMarion wrote:
Let me express something here, NukeScripts does not run on a pure PHP-Nuke system and hasn't since the early days. My site doesnt have a modules.php file for example. Becasue of all the "NSNized" fixes and tweaks, I have issues that are strictly exclusive to my site. Do not judge phpBB based solely on my locking them down.

Thanks for the clarification, Bob. That's the info that I was unaware of -- it explains the situation well; I get it now.

And thanks again for the time you both put into PHP-Nuke; were it not for the security updates and scripts you work so hard to maintain my sites would have been hacked long ago. It's been an education learning how to keep a site running with Nuke, but luckily I haven't been forced to learn the hard way yet. Wink
 
Raven
PostPosted: Tue May 24, 2005 11:30 pm Reply with quote

Bob has decided to put the Forums back on line. See Only registered users can see links on this board! Get registered or login!
 
Leomania
PostPosted: Tue May 24, 2005 11:41 pm Reply with quote

raven wrote:
Bob has decided to put the Forums back on line.

Thanks, raven. Just saw that a bit ago, and glad of it I am.

And talking like Yoda I seem to be... hmmm, anticipating Episode 3 I might be. Wink
 
BobMarion
PostPosted: Wed May 25, 2005 12:37 am Reply with quote

In the forums errors I found. Working on it all day I spent. Late tonite the forums reopened I did Smile

phpBB port I now do hate Bang Head
 
BobMarion
PostPosted: Wed May 25, 2005 12:41 am Reply with quote

hehehehe, watched episode 2 last nite i did!
 
Raven
PostPosted: Wed May 25, 2005 6:32 am Reply with quote

More obvious than an error in phpnuke, that is ROTFL
 
CurtisH
Life Cycles Becoming CPU Cycles


Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI

PostPosted: Wed May 25, 2005 8:11 am Reply with quote

It's stuff like this that really makes me appreciate you guys! I came here this morning in a rather foul mood (unrelated to the site) and after reading these last few posts I couldn't help but chuckle...and what do you know? My fould mood has gone. Thanks guys! Smile

_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe 
View user's profile Send private message Visit poster's website Yahoo Messenger
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©