Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
thomcube
New Member
New Member


Joined: Aug 24, 2005
Posts: 1

PostPosted: Wed Aug 24, 2005 7:01 am Reply with quote

Hi all,

I'm thinking of re-doing my entire website and wanted to use PHP-nuke again instead of Postnuke. Postnuke has too many bugs imho, and I always liked PHP-nuke before.

But recently I am reading different stories about security issues in the version 7.7 and 7.8.
Are these issues already resolved? Will they ever get resolved?

So what version would you recommend? Use the 7.8 and the patches from chatserv. Or use 7.6 (ofcourse also with the patches)?

If you feel that the best way to go is 7.6 what about the bugfixes in the 2 newer releases then?

Also, are there any other patches I should use? Besides the chatserv patches and NukeSentinel?

Thanks in advance for all replies.

/ThomCube
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Aug 24, 2005 7:41 am Reply with quote

Welcome!

A WYSIWYG editor is included in versions 7.7 and 7.8. In order to make this work (it requires extensive HTML tags), the bad HTML checking function was removed from these versions, opening them up to scripting attacks. Hopefully, the checking will be replaced in future versions (it's possible to have both a WYSIWYG editor AND safe HTML!).

Version 7.6 with the latest patch from Chatserv and NukeSentinel is the current recommended version. Other addons, tweaks may be required depending on what you want...

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
highlanddesigns
New Member
New Member


Joined: Aug 25, 2005
Posts: 15

PostPosted: Wed Aug 24, 2005 11:54 pm Reply with quote

Oh man I just installed 7.8 with Chatserv patch and was about to install nukesentinal when I read the readme and it said use 7.6.

Should I down grade? If so can I use the database I have running on 7.8?


Edit** Hello Smile Sry for not starting out by saying hello. How rude!!!
 
View user's profile Send private message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Thu Aug 25, 2005 3:14 am Reply with quote

Heh! Gawd, when this question comes up, I feel like such a rabid PHP-Nuke fundamentalist...

Look, I'm running 6.5 Final, patched and mod'ed, and I'm doing just fine, thank you! I administrate some of the biggest PHP-Nuke sites in the world, but so what? Maybe I'm just lucky. Maybe I'm smart, or maybe I'm really a dumb s___ in reality. Who knows? So, take my opinion for what it's worth. Your call...

Do I recommend you go the 6.5 route? No! I suggest you go the 'secure' route, and to that mean, it really doesn't matter which version you use, as long as it's 'secure'. That's the way I feel...

Having said that, as stated above, for most ppl, PHP-Nuke 7.6 is the way to go, for now. Put another way, unless you know what you're doing 'security-wise' - unless you are prepared to take the bull by the horns, so to speak - you'll be better off running PHP-Nuke 7.6, than 7.7-7.8. Why? Because 7.7-7.8 has more potential for 'security' problems, or so 'they' say...

Then, again, maybe YOU will get lucky and nobody will ever attack your web site, in which case, it doesn't matter which version you are running.

I guess it's a crapshoot of sorts... Personally, I would suggest you settle into a version - any version - and harden it as much as you can, if you're truly worried about 'security', and not simply keeping up with the Joneses. However, the prevailing logic, at this point, dictates that PHP-Nuke 7.6 is the way to go. I know this from reading the threads on various sites, not personal experience. For all I know, this is paranoia rearing its' ugly head. I can't really say I've heard of anybody running 7.7-7.8 being hacked because of the WYSIWYG editor (it certainly isn't a trend, at present) but I suppose it's possible, given the track record of PHP-Nuke... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
kguske
PostPosted: Thu Aug 25, 2005 5:13 am Reply with quote

There is a downgrade script that allows you to convert your database back to 7.6 and copy over all the 7.7-7.8 files. Look for it at Only registered users can see links on this board! Get registered or login!
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Aug 25, 2005 12:27 pm Reply with quote

well the best thing i like about postnuke are the themes,they look great...well the ones ive seen anyway..

And Vin...
why am i not that suprised that your still on the 6.5 ?
I always thought that was the best version ever....
I always used it and thought the 7.6 was the best candidate to upgrade..
But Vin,as you write...
Quote:
I'm running 6.5 Final, patched and mod'ed, and I'm doing just fine

If you taken care of your 6.5 like that then it isnt realy a 6.5 anymore...... Smile
But as far as my personal opinion goes...i would never recommend the 7.7 or 7.8 to anyone,not in a million years...
 
View user's profile Send private message
highlanddesigns
PostPosted: Thu Aug 25, 2005 9:29 pm Reply with quote

Thanks for the advice. I am kind of new to Nuke/php as I have until now worked only with ASP. I have built many sites from small to large ecommerce. Not once (touch wood) have I ever had a site of mine hacked. I know it happens just like a car accident - if it is your time its your time.

I took your advice and went back to 7.6. I am now running 7.6 with 2.0.17 and 3.1 patch. Other than Nuke Sentinal can you advise on any further security measures I may need to make? I will try to keep up with the security stuff Smile

Thanks for a great forum.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Thu Aug 25, 2005 10:16 pm Reply with quote

highlanddesigns wrote:
Other than Nuke Sentinal can you advise on any further security measures I may need to make? I will try to keep up with the security stuff .


Yeah, install only modules / add-ons from reputable sources like those here, NukeScripts and others. For each module/block/etc. you add, it opens up the potential for poor coding or mistakes on the part of the coder (me included).

Luckily, if you ensure that all new modules and blocks are making sure they cannot be run outside of Nuke (standalone), then Sentinel goes a long, long ways towards helping to stop the common exploits. Regardless, though, there is no substitute for knowledgeable coders producing good, secure code (or write your own modules and don't expose your code to the "world"....

montego

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
VinDSL
PostPosted: Fri Aug 26, 2005 4:00 am Reply with quote

highlanddesigns wrote:
Other than Nuke Sentinal can you advise on any further security measures I may need to make?

I put this near the top of my '.htaccess' file...
Code:
#Offers protection during hacking attempts by NOT displaying

#error messages, server paths, and turns off your globals.
php_flag display_errors off
php_flag register_globals off

I also run my 'config.php' file outside the web path. The only reason I do this is in case PHP crashes - so ppl won't be able to look at my password[s], and so forth. LoL! Yes, I've seen this happen, to someone else, after a botched PHP upgrade. Made me a believer!

This widely published page explains all this, and more, but most ppl either haven't read it, or don't pay it any heed... Wink
Only registered users can see links on this board! Get registered or login!
 
highlanddesigns
PostPosted: Fri Aug 26, 2005 4:17 am Reply with quote

Thanks VinDSL.

If I put my config outside of my directory my forum admin goes blank. Did not do that until about 2.0.16.

As for the link to the security measures believe it or not I have already been there Smile This is also the same as from FB's site right?

Anyway thanks again for the advice
 
hitwalker
PostPosted: Fri Aug 26, 2005 4:18 am Reply with quote

ah thanks for the reminder.
long ago i had config placed in timbuktoo,but when changed to 7.6 i forget that..
 
VinDSL
PostPosted: Fri Aug 26, 2005 4:19 am Reply with quote

BTW, one thing I might mention...

If you decide to run 'config.php' outside your web path, you need to tweak 'mainfile.php'. This is often overlooked and, if you'll pardon the pun, the root cause of much grief when attempting to move 'config.php' out of harm's way.

This is what the section in question looks like in my 'mainfile'. (I run my 'config.php' file one directory above 'root')

Code:
if ($forum_admin == 1) {

    require_once("../../../../config.php");
    require_once("../../../db/db.php");
} elseif ($inside_mod == 1) {
    require_once("../../config.php");
    require_once("../../db/db.php");
} else {
    require_once("config.php");
    require_once("db/db.php");
    /* FOLLOWING TWO LINES ARE DEPRECATED BUT ARE HERE FOR OLD MODULES COMPATIBILITY */
    /* PLEASE START USING THE NEW SQL ABSTRACTION LAYER. SEE MODULES DOC FOR DETAILS */
    require_once("includes/sql_layer.php");
    $dbi = sql_connect($dbhost, $dbuname, $dbpass, $dbname);
}
 
VinDSL
PostPosted: Fri Aug 26, 2005 4:20 am Reply with quote

highlanddesigns wrote:
Thanks VinDSL.

If I put my config outside of my directory my forum admin goes blank...

Heh! See the above post... Wink
 
hitwalker
PostPosted: Fri Aug 26, 2005 4:22 am Reply with quote

weird...all works fine for me..
 
VinDSL
PostPosted: Fri Aug 26, 2005 4:26 am Reply with quote

hitwalker wrote:
weird...all works fine for me..

Yeah, the problem crops up when you try to access your admin panel[s]. Otherwise, everything runs fine...
 
hitwalker
PostPosted: Fri Aug 26, 2005 4:29 am Reply with quote

admin panel.....?
well like i said ,all works fine..
So i guess this only relates to certain versions...?
 
VinDSL
PostPosted: Fri Aug 26, 2005 4:32 am Reply with quote

Oops! Oh, yeah...

Some programs, like my Bandwidth Meter, require that you tweak the path to 'config.php', by adding an extra '../' to it.

It's a hassle, but worth the effort, IMHO...
 
VinDSL
PostPosted: Fri Aug 26, 2005 4:33 am Reply with quote

hitwalker wrote:
admin panel.....?
well like i said ,all works fine..
So i guess this only relates to certain versions...?

Did you try your forum admin panel too?
 
hitwalker
PostPosted: Fri Aug 26, 2005 4:39 am Reply with quote

yes,i have full access to my forums-admin panel,and can see every part of the admin...
 
VinDSL
PostPosted: Fri Aug 26, 2005 4:45 am Reply with quote

hitwalker wrote:
yes,i have full access to my forums-admin panel,and can see every part of the admin...

Good!

All's well that ends well, yes? Very Happy
 
hitwalker
PostPosted: Fri Aug 26, 2005 4:51 am Reply with quote

well i think that keeping everything clean helps..
 
highlanddesigns
PostPosted: Sat Aug 27, 2005 2:32 am Reply with quote

I will try those changes. Thanks again Smile
 
roadlesstraveled
New Member
New Member


Joined: Jul 11, 2005
Posts: 10

PostPosted: Fri Nov 25, 2005 10:03 am Reply with quote

I keep hearing about all of these "POTENTIAL" issues with 7.7 and 7.8

I just upgraded to 7.8, running sentinal 2.4.2, have the main configs in differn folders and have pretty much done everything I possibly can to secure the site short of shutting it down

As stated above, if a script weenie is going to get you they will nothing will stop them if they want in. Nothing you or anyone here is going to be able to do anything about it. Just keep back ups and change your passwords often.

One final note, I dont write code but I break it for a living, one thing I take to my job is this and it never fails me:

Never Under Estimate!
The Enginuity of an Idiot

My Engineers hate me, I give them so much grief but it makes them think about what they are coding. Anyone can break a system

For me, I am staying at 7.8, I have a moded site that would be a disaster if I downgraded to 7.6.

All I want is to get my banners working again in 7.8 I have narrowed it down to the language file and from there Who knows
 
View user's profile Send private message
Quake
New Member
New Member


Joined: Feb 02, 2005
Posts: 12

PostPosted: Tue Nov 29, 2005 3:56 am Reply with quote

I recommend Nuke-Evolution at nuke-evolution.com
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©