Standing up for nuke

Regular Joined: Oct 17, 2005 Posts: 51

Well, I am so tired of people talking so much crap about nuke. Security sites, even the one I work at give nuke a bad name, tell people to never use them. Ive tried to tell people time and time again nuke can be secure and Ive even challenged security pros and hackers to exploit some of my 7.6 test sites and they failed but that still doesnt stop the talk. Therefore I printed a news article about Nuke Development sites like this one and others who provide nukers alternatives for security. Check it out and I also posted some links to this site and a few others. So hopefully we can destroy this illusion about no nuke site being secure.
Anyone wants their link removed or thinks I need to change anything let me know, a lot of people will read this. I was just trying to point people in the right direction.
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Thu Oct 27, 2005 6:22 pm

I would merely point out that in addition to 7.7 - 7.9 not being secure, there are many other problems with those versions as well. Primarily that the TinyMCE WYSIWYG editor was not properly integrated and the modules that use it are also improperly coded. Thus, while 7.7 on are considered to be highly insecure (regardless if you run NukeSentinel or not) there are many other reasons why nobody should use them including (in the case of 7.9) a default incompatibility with some legacy nuke blocks and modules.

Finally, I would simply say that I don't run to defend Nuke. I don't think any of the comments made about Nuke are wrong at all, but rather I think they (for the most part) are right on target. If Mr.Burzi would actually incorporate the fixes that have been developed over the past 2 years or would listen to the community of developers and bug fixers, these security issues could have been laid to rest as far back as version 6.9. Instead he chooses to develop in a vacuum and to ignore the pleas of the community to standardize and stabilize the solution. Thus, we are left with a very insecure CMS with thousands of bugs (literally).

If not for the efforts of a very select few (Okay, Chatserv, Bob, Raven and a few others) there would probably be no Nuke as who would actually run a CMS that can be hacked in less than 10 minutes without these patches and add-on security solutions?

This is why I wanted to admit that yes, Nuke stinks up a room security wise, but more importantly the primary developer is the reason why this is so.

While I would never run a domain without NukeSentinel, it should be pointed out that many of NukeSentinels' functions should be baseline, but Mr. Burzi's practice of ignoring security issues has forced the development and evolution of NukeSentinel over the past year by a very specific community. That team has probably spent more time working on NukeSentinel than Mr. Burzi has ever spent on baseline Nuke, so yeah... it shows. Go figure.

Just my 2 cents.

Steph

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

j_felosi,

I think you have done a good thing. Will it accomplish anything? I don't know. This very topic is one that I and many others have gone head-to-head about, albeit in the spirit of debate and not attack. Some believe you should throw the baby out with the bathwater and others believe, well, others believe in more viable options. My frustration has always been and continues to be, the fact that FB will not avail himself to the better and more secure code. Or, when he does, he has often pilfered it without giving credit. Therefore he heaps more condemnation upon himself and his efforts. And his ego is just too big to accept responsibility and correct his wrongs. I and others have been unjustly accused of belittling the very product that is our bread-n-butter ROTFL

. Trust me - I would much rather be writing native systems than sending all this time on phpnuke. At the same time, I will continue to service the market that he has created, or at least advanced. It is quite amazing, as 64bit said or alluded to, that FB doesn't just incorporate the advancements into his base product and go from there. My goodness! They are proven and are GPL Laughing

. How much easier could it get? I personally believe he does not because he is either to proud to do it or he doesn't understand the logic. In any event, thanks for the mention in your article.

Posted: Fri Oct 28, 2005 1:58 am

Some interesting stats I figured up.
Everyday zone-h mirrors 25-30 phpnuke defacements on average
Not that it matters but I will add that it mirrors at least 100 phpbb
When exploits come out usually the stats will rise. Although I will say nuke defacements are on a rapid decline and most script kiddies have moved on to easier targets such as phpbb, php fusion, and e107.
Of all the nuke defacements I have mirrored and the mirrors I have viewed maybe 1% is patched and I have seen NONE with sentinel 2.40-2.42.
So obviously you guys are doing something right. But belive it or not, the majority of security proffesionals, webmasters, and other have no idea about patches and security modules available nor have many heard of nuke sentinel. If they have heard of these things they are either too lazy or not confident enough to perform the fixes.
From FB's track record it looks like 8.0 may be a script kiddy's dream come true. I just dont understand why the man doesnt try to get in contact or to work with all the people that's fixing his. I believe if the whole nuke community including FB and Techgfx got together we would have the best rock solid cms that ever existed. But pride will get em everytime.

Posted: Fri Oct 28, 2005 4:09 am

j_felosi wrote:

I printed a news article about Nuke Development sites like this one and others... Check it out... I was just trying to point people in the right direction...

Woo hoo! That's beautiful! You got 'brass ones', my friend!

I visit Zone-H from time-to-time, and I'm shocked that they published your article. Kudos to Zone-H too! I imagine there are 1000's of hackers with their jaws on the floor right now... ROTFL

You know, my site is attacked every day, and that's no kidding! I'm running a patched and mod'ed version of PHP-Nuke 6.5 Final, plus I run Coppermine Photo Gallery 1.1d, which is even bad-mouthed here on this site, and I haven't been defaced since the US attacked Iraq -- concurrent with my web host switching to MySQL 4.x in the middle of the night without warning. Let's just say, the Persians got lucky...

'We' all know what's going on, but sometimes that doesn't filter down to the body Nuke. Or, if it does, many may think their site won't get hacked because its so small and insignificant. They wait until after they've been hacked to 'look for alternatives'.

You have done a great service to the community! I had no idea Zone-H would publish such an article. My only concern is you have thrown down the gauntlet on the #1 biggest hacker site in the world, and these maggots enjoy a challenge. We'll see what the repercussions are...

I would say, anyone listed in that article should prepare for 'incoming'! Cool

Posted: Fri Oct 28, 2005 4:24 am

Well, I wouldnt have been able to run that article had I not proved its possible. I have 7.6 patch level 3.1 with sentinel 2.42 and I setup a test site just for the purpose of challenging the staff, people in the forum, and my friends to have at it. Whats even funnier, I had a 7.9 with sentinel they couldnt do anything with, but I still dont brag about the 7.9. Im all for testing and hey, if I do get defaced, big deal, Ill restore my sql and check my stats to see what string was used and then make it known to the development community to get a fix. But before this they used to always say, "you need to ditch nuke" and "It dont matter what you do to nuke, it can still be hacked by a 2 year old' So I told em to prove it, give it all they had. So I was basically guarnateed Id see my test site defaced within a day of the challenge. So two weeks and 50 sentinel emails go by and needless to say they was convinced. Which I did have ip lock on all the admin pages but they didnt even get to them anyway. Like I was saying before most security pros and even script kiddies dont know about NukeSentinel and the patches and they look at recent 7.9 patched exploits and they think "well if 7.9 patched can be exploited then surely 7.6 can.
I think some respect is gonna come to nuke and I dont think it will be targeted as much in the future. All of you guys have done a great job, and hopefully more nukers will get to it and secure theier sites so eventually we can get nuke off the map as an easy hack, and perhaps draw lots of attention away from php-puke.org and bring the support and attention where it belongs-the real nuke community that works their ass off to make nuke a secure and viable cms, we know who they are!
On another note though, I would like to point out that zone-h is primarily a security site even though they do support ethical hacking. Its mostly about stats and compiling all the information on whats attacked and comprimised most. I dont really think it will bring any attacks to anyone, but in the case that happend I would remove the links. Zone-H is a good resource for webmasters, but mostly server admins and they do print security suggestions when they can. But I understand where your coming from

Site Admin Joined: Jun 04, 2004 Posts: 6432

Unfortunately, that site might not be the best target market for the information. Sure, it will help the sites visitors better understand how to protect a Nuke site - but that isn't their interest, is it? As 64bit, Raven and others have said, it's even more unfortunate that the right target market for that information - Nuked-site webmasters - can't get that information OR the proper security code from the source - phpnuke dot org. I'd LOVE to see the response you'd get if you submitted that story to the source! Of course, I wouldn't hold my breath waiting or spend any time refreshing the email client...

Fortunately, when Nuked-site webmasters look for support (especially after their first defacement), they find great sites like [ Only registered users can see links on this board! Get registered or login! ] where they can find support (also not provided by the source site), [ Only registered users can see links on this board! Get registered or login! ] and [ Only registered users can see links on this board! Get registered or login! ] Hopefully, your article will help them find them sooner.

Posted: Fri Oct 28, 2005 9:32 am

First let me thank you for the plug. Smile

Its funny as a team we decided to not advertise our product at all really until we got to version 1, yet just by word of mouth we have been pretty popular (550 downloads of beta 2).

Is Nuke perfect?
No

Is standard Nuke secure?
Hell no

Is Nuke + Sentinel + Patches secure?
Kind of.
Basically given enough resources anything is possible.

Even now I know of a couple of ways to hack patched Nuke that I just fixed in Evo. The hole in which to do it is very small, and would be in very rare cases, but its still possible to do.

The point is that no matter how much work everyone puts into the product there are still going to be hole and issues. Its just a matter of fact with any product and being a website admin you HAVE TO contantly keep your site updated. I think that is the biggest problem current Nuker have, they do not understand nor respect that fact. They think they can just drop it in place and be lazy and not keep it updated. Plus I dont think many people know where to get the updates, they think FB will do it. ROTFL

Posted: Fri Oct 28, 2005 9:34 am

technocrat wrote:

Even now I know of a couple of ways to hack patched Nuke that I just fixed in Evo. The hole in which to do it is very small, and would be in very rare cases, but its still possible to do.

I trust that you have alerted Chatserv to this.

Posted: Fri Oct 28, 2005 9:39 am

No! Forget you all ROTFL

I always share security issues. Like I said its a very small hole that could only happen under VERY rare conditions. On a 1-10 of likelyhood this would be a 1 or 2.

Posted: Fri Oct 28, 2005 2:19 pm

Very cool, glad you put that there.

Now if we just had all the newbies downloading from FB's site or installing from Fantastico to read that..

phpNuke is like any software. There will be vulnerabilities, its not bulletproof. But there are precautions that people can take, and certainly keeping your sites updated is the best idea. Less sites would be hacked if their users would maintain them properly - its a proactive defense. Smile

Posted: Fri Oct 28, 2005 3:03 pm

Well, That sucks there was still a security hole but ya cant beat the ip lock on admin pages. I have found it impossible to do anything with it when the ip lock is on a few pages. Well, true there are some good and talented hackers out there, but they are not necessarily looking for a challenge. Most are script kids who want numbers and they will search google constantly for anyone who was lazy enough to leave "Powered by PhpNuke" in their preferences. Usually they will try a round of union attacks, then maybe an author attack or two, then if they have the 0days they will try a few xss exploits. I usually keep the pc killer templates on my site, I figured it wasnt hitting firefox hard so I added the integer overflow DoS exploit to abuse.htm and union.htm and needless to say if they hit that page in IE or Firefox they wont come back. But I think those templates got my last host suspended for running malicious software on the server so I havent added them to my new server yet.
Well Im sure everyone knows about this but if you really wanna throw a site to the script kiddies get a domain or subdomain and make your test site and leave "Powered by PhpNuke" in the preferences and leave the meta or change it around a lil to include that phrase. Set it up, give it a day or two for the bots to crawl and you will recieve at least 30 or more attacks a day.
I think whats hot now for the script kiddies is phpbb, I was mistaken when I said over 100 a day , I got to looking last night and it has to be at least 500 or more a day.

Tech: I wish you would release a version of that evo without the cz modules, that is the only reason I havent converted yet. They dont work good for me, modules just disappear. Im in the process now of trying to add that Modules Tweak for 7.6.3.1 but I messed it up somehow. Anyway, just a thought

Posted: Fri Oct 28, 2005 4:33 pm

Hi i_felosi
I have read your article 2 x. I agree with kguske.
This sentence in your article:

Quote:

"The version that is most highly reccomended among the nuke development community is the 7.6 version patch level 3.1. "

should be in every article about Nuke for Webmasters. A lot of newbies at warp-speed have never heard about nuke sentinel, never heard about the risk of nuke version 7.7. - 7.9 and it seems that many users doesn´t really know which version of nuke is recommendable. I´m not talking about phpBB because that´s another said story. Rolling Eyes