Secure Scripts List

Posted: Sun Jun 20, 2004 1:19 pm

I find many scripts on the net that I would love to have on my site. There are some really fun stuff out there. But I'm so scared of hackers or that the script writer is putting something secret in there that I don't know about and wouldn't want happening on my site. So I don't dare use any of them.

Has anyone put together a list of "safe" sites/programmers/scripts to use? or "un-safe" ones?

I sat and read about Raven for 2 months before I felt warm and fuzzy enough to install any of his scripts on my site (glad I did) ... now he's hosting me Smile

I don't know enough (yet) about PHP to check scripts myself.

Posted: Sun Jun 20, 2004 2:52 pm

We've discussed this a few times I don't think any of us are comfortable with actually say this is certified safe because its almost an invitation for folks to really hammer on something until it falls apart.

PostNuke attempts to make this work by creating their own api so to speak. For access to the database, ect... everything is sposed to be created standards compliant and use the PN security model thats built in. We see PostNuke developers blow much about how most of the recent hacks on it have been to older none updated or third party modules. It sounds nice in theory but its almost an open invitation to prove them wrong.

All thats well and fine but they got so far away from the average user that its become hard for anyone but experienced php developers to create addons anymore. It shouldn't have to be so complicated IMHO and in reality its not. They (So far) just write documentation for programers which flies right over the head of most novices.

Which is why everone hasn't jumped ship from phpnuke to PostNuke, much to the PostNuke communities suprise. People want something that is easy to personalize and expand to meet their own needs. Not something they have to study in depth php/mysql for 3-6 months to be able to addon a few simple custom applications.

Anyway I think that even to have a blacklist forum would be none productive. Because if there is something that is out there and its insecure there are folks who are willing to help make it so. But its hard to offer help when its not asked for. But you are wise to be cautious because there are weak mods out there but the only way to identify them is to put them on a test site and start checking them out.

The two most common errors are not filtering form input before using it and not adding sufficient checking to variables used in and out of mysql queries. Even forgetting to add quotes around variables opens a potential door for an attacker.

Your present "standard" of finding and using scripts put out by reliable experienced coders is about as good as it gets and more then most take the time to do.

Off the top of my head I'd have to say that folks who are associated with Ravens site here, NSN family and the NukeResources family are going to be around to fix things if they are broken. Not to say every download listed on those associated sites is safe but that ones offered by those "Community Pillars" should be more likely to be safe and supported to a higher degree then those that are just quick released to get a few thousand hits off phpnuke.org ect...

Posted: Sun Jun 20, 2004 3:07 pm

I wouldn't want to see a "black list" list. Because there are so many varables that just because it didn't work on my site with all my stuff doesn't mean that it wouldn't work on someone else's site with different stuff Smile

I'd like to know what everyone else is using and how they like it Smile

BTW ... I tried the Fancy Newsletter from here and it didn't send out the Newsletter like it was showing (sent in plain text instead of HTML with template). But I really like the idea Very Happy

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

HauntedWebby wrote:

BTW ... I tried the Fancy Newsletter from here and it didn't send out the Newsletter like it was showing (sent in plain text instead of HTML with template). But I really like the idea Very Happy

If you are having problems with a download advertized here, please do at least 2 things. First, make sure you have contacted the author's web site and you have the latest version. Download's written by anyone other than myself are only kept up-to-date by the author, not me. While there, please post the problem in an appropriate forum or see if the problem have been reported and resolved. Second, try posting the problem here, as someone else may have resolved it. If neither attempt resolves the problem, let us know and we will look at whether or not to keep the article/download available. I will not keep outside downloads from authors who no longer support their product.

Posted: Mon Jun 21, 2004 9:16 am

Raven wrote:

If you are having problems with a download advertized here, please do at least 2 things. First, make sure you have contacted the author's web site and you have the latest version. Download's written by anyone other than myself are only kept up-to-date by the author, not me. While there, please post the problem in an appropriate forum or see if the problem have been reported and resolved. Second, try posting the problem here, as someone else may have resolved it. If neither attempt resolves the problem, let us know and we will look at whether or not to keep the article/download available. I will not keep outside downloads from authors who no longer support their product.

I'll go through it again with the new site. Maybe it was just a conflict with something I had. Smile