| Author |
Message |
thomcube
New Member
Joined: Aug 24, 2005
Posts: 1
|
 Posted:
Wed Aug 24, 2005 7:01 am |
|
Hi all,
I'm thinking of re-doing my entire website and wanted to use PHP-nuke again instead of Postnuke. Postnuke has too many bugs imho, and I always liked PHP-nuke before.
But recently I am reading different stories about security issues in the version 7.7 and 7.8.
Are these issues already resolved? Will they ever get resolved?
So what version would you recommend? Use the 7.8 and the patches from chatserv. Or use 7.6 (ofcourse also with the patches)?
If you feel that the best way to go is 7.6 what about the bugfixes in the 2 newer releases then?
Also, are there any other patches I should use? Besides the chatserv patches and NukeSentinel?
Thanks in advance for all replies.
/ThomCube |
| |
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Wed Aug 24, 2005 7:41 am |
|
Welcome!
A WYSIWYG editor is included in versions 7.7 and 7.8. In order to make this work (it requires extensive HTML tags), the bad HTML checking function was removed from these versions, opening them up to scripting attacks. Hopefully, the checking will be replaced in future versions (it's possible to have both a WYSIWYG editor AND safe HTML!).
Version 7.6 with the latest patch from Chatserv and NukeSentinel is the current recommended version. Other addons, tweaks may be required depending on what you want... |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
highlanddesigns
New Member
Joined: Aug 25, 2005
Posts: 15
|
| Posted:
Wed Aug 24, 2005 11:54 pm |
|
Oh man I just installed 7.8 with Chatserv patch and was about to install nukesentinal when I read the readme and it said use 7.6.
Should I down grade? If so can I use the database I have running on 7.8?
Edit** Hello  Sry for not starting out by saying hello. How rude!!! |
| |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Thu Aug 25, 2005 3:14 am |
|
Heh! Gawd, when this question comes up, I feel like such a rabid PHP-Nuke fundamentalist...
Look, I'm running 6.5 Final, patched and mod'ed, and I'm doing just fine, thank you! I administrate some of the biggest PHP-Nuke sites in the world, but so what? Maybe I'm just lucky. Maybe I'm smart, or maybe I'm really a dumb s___ in reality. Who knows? So, take my opinion for what it's worth. Your call...
Do I recommend you go the 6.5 route? No! I suggest you go the 'secure' route, and to that mean, it really doesn't matter which version you use, as long as it's 'secure'. That's the way I feel...
Having said that, as stated above, for most ppl, PHP-Nuke 7.6 is the way to go, for now. Put another way, unless you know what you're doing 'security-wise' - unless you are prepared to take the bull by the horns, so to speak - you'll be better off running PHP-Nuke 7.6, than 7.7-7.8. Why? Because 7.7-7.8 has more potential for 'security' problems, or so 'they' say...
Then, again, maybe YOU will get lucky and nobody will ever attack your web site, in which case, it doesn't matter which version you are running.
I guess it's a crapshoot of sorts... Personally, I would suggest you settle into a version - any version - and harden it as much as you can, if you're truly worried about 'security', and not simply keeping up with the Joneses. However, the prevailing logic, at this point, dictates that PHP-Nuke 7.6 is the way to go. I know this from reading the threads on various sites, not personal experience. For all I know, this is paranoia rearing its' ugly head. I can't really say I've heard of anybody running 7.7-7.8 being hacked because of the WYSIWYG editor (it certainly isn't a trend, at present) but I suppose it's possible, given the track record of PHP-Nuke...  |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. |
|
 |
|
kguske
|
| Posted:
Thu Aug 25, 2005 5:13 am |
|
There is a downgrade script that allows you to convert your database back to 7.6 and copy over all the 7.7-7.8 files. Look for it at http://nukescripts.net. |
| |
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Thu Aug 25, 2005 12:27 pm |
|
well the best thing i like about postnuke are the themes,they look great...well the ones ive seen anyway..
And Vin...
why am i not that suprised that your still on the 6.5 ?
I always thought that was the best version ever....
I always used it and thought the 7.6 was the best candidate to upgrade..
But Vin,as you write...| Quote: | | I'm running 6.5 Final, patched and mod'ed, and I'm doing just fine |
If you taken care of your 6.5 like that then it isnt realy a 6.5 anymore......
But as far as my personal opinion goes...i would never recommend the 7.7 or 7.8 to anyone,not in a million years... |
| |
|
|
|
|
highlanddesigns
|
| Posted:
Thu Aug 25, 2005 9:29 pm |
|
Thanks for the advice. I am kind of new to Nuke/php as I have until now worked only with ASP. I have built many sites from small to large ecommerce. Not once (touch wood) have I ever had a site of mine hacked. I know it happens just like a car accident - if it is your time its your time.
I took your advice and went back to 7.6. I am now running 7.6 with 2.0.17 and 3.1 patch. Other than Nuke Sentinal can you advise on any further security measures I may need to make? I will try to keep up with the security stuff
Thanks for a great forum. |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Aug 25, 2005 10:16 pm |
|
| highlanddesigns wrote: | | Other than Nuke Sentinal can you advise on any further security measures I may need to make? I will try to keep up with the security stuff . |
Yeah, install only modules / add-ons from reputable sources like those here, NukeScripts and others. For each module/block/etc. you add, it opens up the potential for poor coding or mistakes on the part of the coder (me included).
Luckily, if you ensure that all new modules and blocks are making sure they cannot be run outside of Nuke (standalone), then Sentinel goes a long, long ways towards helping to stop the common exploits. Regardless, though, there is no substitute for knowledgeable coders producing good, secure code (or write your own modules and don't expose your code to the "world"....
montego |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:00 am |
|
| highlanddesigns wrote: | | Other than Nuke Sentinal can you advise on any further security measures I may need to make? |
I put this near the top of my '.htaccess' file...
Code:#Offers protection during hacking attempts by NOT displaying
#error messages, server paths, and turns off your globals.
php_flag display_errors off
php_flag register_globals off
|
I also run my 'config.php' file outside the web path. The only reason I do this is in case PHP crashes - so ppl won't be able to look at my password[s], and so forth. LoL! Yes, I've seen this happen, to someone else, after a botched PHP upgrade. Made me a believer!
This widely published page explains all this, and more, but most ppl either haven't read it, or don't pay it any heed...
http://www.ravenphpscripts.com/nukemanual-security-measures.html |
| |
|
|
|
|
highlanddesigns
|
| Posted:
Fri Aug 26, 2005 4:17 am |
|
Thanks VinDSL.
If I put my config outside of my directory my forum admin goes blank. Did not do that until about 2.0.16.
As for the link to the security measures believe it or not I have already been there This is also the same as from FB's site right?
Anyway thanks again for the advice |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Aug 26, 2005 4:18 am |
|
ah thanks for the reminder.
long ago i had config placed in timbuktoo,but when changed to 7.6 i forget that.. |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:19 am |
|
BTW, one thing I might mention...
If you decide to run 'config.php' outside your web path, you need to tweak 'mainfile.php'. This is often overlooked and, if you'll pardon the pun, the root cause of much grief when attempting to move 'config.php' out of harm's way.
This is what the section in question looks like in my 'mainfile'. (I run my 'config.php' file one directory above 'root')
Code:if ($forum_admin == 1) {
require_once("../../../../config.php");
require_once("../../../db/db.php");
} elseif ($inside_mod == 1) {
require_once("../../config.php");
require_once("../../db/db.php");
} else {
require_once("config.php");
require_once("db/db.php");
/* FOLLOWING TWO LINES ARE DEPRECATED BUT ARE HERE FOR OLD MODULES COMPATIBILITY */
/* PLEASE START USING THE NEW SQL ABSTRACTION LAYER. SEE MODULES DOC FOR DETAILS */
require_once("includes/sql_layer.php");
$dbi = sql_connect($dbhost, $dbuname, $dbpass, $dbname);
}
|
|
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:20 am |
|
| highlanddesigns wrote: | Thanks VinDSL.
If I put my config outside of my directory my forum admin goes blank... |
Heh! See the above post... |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Aug 26, 2005 4:22 am |
|
weird...all works fine for me.. |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:26 am |
|
| hitwalker wrote: | | weird...all works fine for me.. |
Yeah, the problem crops up when you try to access your admin panel[s]. Otherwise, everything runs fine... |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Aug 26, 2005 4:29 am |
|
admin panel.....?
well like i said ,all works fine..
So i guess this only relates to certain versions...? |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:32 am |
|
Oops! Oh, yeah...
Some programs, like my Bandwidth Meter, require that you tweak the path to 'config.php', by adding an extra '../' to it.
It's a hassle, but worth the effort, IMHO... |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:33 am |
|
| hitwalker wrote: | admin panel.....?
well like i said ,all works fine..
So i guess this only relates to certain versions...? |
Did you try your forum admin panel too? |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Aug 26, 2005 4:39 am |
|
yes,i have full access to my forums-admin panel,and can see every part of the admin... |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Aug 26, 2005 4:45 am |
|
| hitwalker wrote: | | yes,i have full access to my forums-admin panel,and can see every part of the admin... |
Good!
All's well that ends well, yes?  |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Aug 26, 2005 4:51 am |
|
well i think that keeping everything clean helps.. |
| |
|
|
|
|
highlanddesigns
|
| Posted:
Sat Aug 27, 2005 2:32 am |
|
I will try those changes. Thanks again |
| |
|
|
|
|
roadlesstraveled
New Member
Joined: Jul 11, 2005
Posts: 10
|
| Posted:
Fri Nov 25, 2005 10:03 am |
|
I keep hearing about all of these "POTENTIAL" issues with 7.7 and 7.8
I just upgraded to 7.8, running sentinal 2.4.2, have the main configs in differn folders and have pretty much done everything I possibly can to secure the site short of shutting it down
As stated above, if a script weenie is going to get you they will nothing will stop them if they want in. Nothing you or anyone here is going to be able to do anything about it. Just keep back ups and change your passwords often.
One final note, I dont write code but I break it for a living, one thing I take to my job is this and it never fails me:
Never Under Estimate!
The Enginuity of an Idiot
My Engineers hate me, I give them so much grief but it makes them think about what they are coding. Anyone can break a system
For me, I am staying at 7.8, I have a moded site that would be a disaster if I downgraded to 7.6.
All I want is to get my banners working again in 7.8 I have narrowed it down to the language file and from there Who knows |
| |
|
|
|
|
Quake
New Member
Joined: Feb 02, 2005
Posts: 12
|
| Posted:
Tue Nov 29, 2005 3:56 am |
|
I recommend Nuke-Evolution at nuke-evolution.com |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
