 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
PHP Nuke 7.7 |
 |
 Posted: Sun Jul 10, 2005 10:38 am |
 |
|
| engagedb |
| Regular user |
 |
|
| Joined: Jul 10, 2005 |
| Posts: 7 |
|
|
|
 |
|
 |
|
Firstly, I'd like to thank WarAxe for providing us with this website where himself and many others have provided information that I've personally used to fix many holes I had no idea existed in PhpNuke, PhpBB, and others.
The reason I registered to post here, is my concern about PhpNuke 7.7
Numerous web sites and forums are complaining about its weaknesses, and none of its strength, I figured maybe I'm looking in the wrong places..
I'm posting here to ask simply, are they just trying to disrepute this version?
Where is the proof? Where is the truth? And most importantly if they know SO many holes, where is the FIX?
... I guess my main question is, Is PhpNuke 7.7 secure, or isn't it. I don't want to use it or have my clients using it, if it is truely as bad as I read.
-Thanks for your time  And keep up the great work.
(and another note, I read your post WarAxe, about Francisco taking your fix and removing the Credit, I agree he shouldn't have done it, I'd be equally angry) |
|
|
|
|
|
|
|
|
| Posted: Sun Jul 10, 2005 12:51 pm |
|
|
| sp3x |
| Valuable expert |
|
|
| Joined: Feb 15, 2005 |
| Posts: 10 |
|
|
|
|
|
|
|
the code is open so there will be always some bugs.....
There is no public script that is 100% safe
PHPNuke is not secure.... why ? because a lot of code in some places are weak.... and i think the main problem of phpnuke is that they create filters to xss and sql inj that can be bypassed.... ok filter fine but why they also do not use php functions ... for example : addslashes or htmlspecialchars.
And another problem of phpnuke is that the phpnuke team ignore such bugs ( for example XSS) , they IGNORE the SECURITY in this script....
And for the fix you must wait long time...
or write fix yourself
that is my opinion |
|
|
|
|
|
|
|
|
| Posted: Sun Jul 10, 2005 2:51 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| sp3x wrote: | the code is open so there will be always some bugs.....
There is no public script that is 100% safe
PHPNuke is not secure.... why ? because a lot of code in some places are weak.... and i think the main problem of phpnuke is that they create filters to xss and sql inj that can be bypassed.... ok filter fine but why they also do not use php functions ... for example : addslashes or htmlspecialchars.
And another problem of phpnuke is that the phpnuke team ignore such bugs ( for example XSS) , they IGNORE the SECURITY in this script....
And for the fix you must wait long time...
or write fix yourself
that is my opinion |
hum, im not agree with your statement , about "the code is open so there will be always some bugs"
closed program also has it, even worst!
the closed operating system more n more worst about it
the code is open , yes many people will help to find the bug , but the patch found as quickly they found the bug , n the software are become more "relatively" secure .
i think the problem is , PHP nuke has grown too far, many proggrammer attach their module without doing any "security check" . i think thats the amin problem
CMIIW |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Sun Jul 10, 2005 3:13 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Welcome aboard, engagedb 
Some of my thoughts:
1. Freeware/Opensource soft can be very secure and with great functionality, if it's have been in developement long time and if there are lot's of people, who contribute their free time to improve the product.
Good examples - linux kernel, apache webserver. Of course, there are always new security bugs to come out, but those products are very secure and stable in summary. It's result of the years long work by thousands of volunteers.
As time goes by and new bugs have been discovered in phpBB, then in result it will be more and more secure and stable. You know - if it is not killing you, then it will make you stronger 
2. Phpnuke - it is written insecurely from the beginning. Just look at very old phpnuke versions, like 4.x and 5.x and you will find very funny security bugs. Seems like oldest nuke versions were absolutely unsecured. Even phpnuke 6.x was full of sql injection cases. Some security has been started developing from 7.0 version, i think.
Now, all the thousands programmers, who are writing any kind of addons, modules, blocks, hacks, etc for phpnuke - they will look at original code and then program stuff in same way - insecure way.
I have seen phpnuke driven websites with newest phpnuke version, all pathes applied to engine, 3 or even 4 "antihack" systems installed and by closer look you can see VERY INSECURE modules in use - modules, where programmer has absolutely no clue about single quotes and stuff.
That's sad ...
3. Phpnuke 7.7 - i think, that i will take soon closer look at this specific nuke version. Let's see, what can i find out |
|
|
|
|
|
|
|
|
| Posted: Mon Jul 11, 2005 11:28 am |
|
|
| engagedb |
| Regular user |
|
|
| Joined: Jul 10, 2005 |
| Posts: 7 |
|
|
|
|
|
|
|
Thanks for the welcome
I'd like to say yes I've seen the same thing, a friend of mine used 4 phpNuke anti-hack scripts, and had taken advantage of renaming the Admin.php file, he got hacked and wanted to know how it happened, we found the bug (I can't remember now, was some weeks ago). And we also noticed one thing that really struck my fancy.
On the Php Nuke site they had posted about how the readme failed to mention you need to add the new Admin.php filename to Robots.txt, although if you do that, then anyone can simply go to www.sitename.com/robots.txt and see the name. Very confusing as to what the purpose is to even bothering hiding the filename? Lol. |
|
|
|
|
| Posted: Mon Jul 11, 2005 12:21 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Jul 11, 2005 12:44 pm |
|
|
| engagedb |
| Regular user |
|
|
| Joined: Jul 10, 2005 |
| Posts: 7 |
|
|
|
|
|
|
|
| Lol ! Priceless, truely priceless |
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 69
Members: 0
Total: 69
