NukeScripts closes forums and pm

New Member Joined: May 23, 2005 Posts: 10

A posting today by BobMarion on NukeScripts:

Quote:

Due to the high level of scripting and security issues that go hand in hand with phpBB and nuke I have closed the Forums and Private Messages modules.

I've been building up a site offline with a couple of partners that I hope to be a popular site eventually. As such, it may be all the more attractive a target for hacking. But I don't have Bob's technical abilities when it comes to security issues; it he can't keep on top of it, what chance to the rest of us have of keeping our phpBB-based sites up?

No intent to go off the deep end here; I'm genuinely interested in hearing what folks think of Bob's stated reason for closing the forums.

Posted: Tue May 24, 2005 8:30 am

Bob's reasons are correct.

OpenSource means everyone can see it and everyone can find security issues. If a vulnerability is found the developers should fix the issue within 1-2 weeks and provide the fix to their customers.
Since FB cares less about this, you rely on Chatserv, Raven and Bob to provide the fixes.
Since they work and do this in their spare time and they run websites themselves to maintain, there will be no space left for holidays and beer.

To fix this, bob just turns off the security sensitive modules to gain more free time. There's nothing wrong with that.

Leomania wrote:

I've been building up a site offline with a couple of partners that I hope to be a popular site eventually. As such, it may be all the more attractive a target for hacking.

Shure it will, but what do you want to about it ?
Donate $1000 a month so someone can work on the system as day job ?

Posted: Tue May 24, 2005 9:38 am

Quote:

Since they work and do this in their spare time and they run websites themselves to maintain, there will be no space left for holidays and beer.

Hey, beer is important -- and I'll be among the first to say so. Still, if phpBB as part of PHP-Nuke is so insecure as to be a significant draw on his time, how would anyone else hoping to use the software be able to do any better?

The number of sites providing some levels of support for PHP-Nuke amazes me; I am doing my best to educate myself so I can make my site as secure as possible and prepare for a possible security breach. Still, there's far more than I can possibly know given that I too have a day job. So it's a bit unnerving to have a knowledgeable guy like Bob pull the plug on the forums.

I have seen some posts from people saying things like, "move your config.php, I'll find it within five minutes. Rename your tables, won't help one bit." I always thought it was bravado, but perhaps there are folks who know enough about the innards of Nuke and/or phpBB that it's legit, and I should just expect a hack at some point. Not a comforting thought.

Quote:

Shure it will, but what do you want to about it? Donate $1000 a month so someone can work on the system as day job?

Want? No, that wouldn't be what I would want to do. Contribute to the folks who help make the software more secure? You bet. I've contributed to chatserv, and need to follow up with some fundage for raven and Bob (and FB, whom I realize I have overlooked).

I understand that no software can ever be 100% secure, but perhaps the security situation is even worse than I had prepared myself for it to be; I guess I'm just bummed about it.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Imo, there is no reason to be a fatalist about this Smile

. Look at http://security-focus.com when you get a chance. You will see applications and operating systems that are tried and true and yet, guess what? They continue to find security issues with them. You would have to turn your PC off permanently to be rid of any threat. My point? The older and more mature our applications get, the more stable they should become. Will they ever reach a no security issue stage? I can't say. But, I do know that by using NukeSentinel (shameless plug) and some .htaccess and Apache hardening, I honestly do sleep better at night. Other exploits can and WILL appear. We take it one day/hour/minute/second at a time and offer blood sacrifices as often as we can Wink

registered · Posted: Tue May 24, 2005 10:48 am

Let me express something here, NukeScripts does not run on a pure PHP-Nuke system and hasn't since the early days. My site doesnt have a modules.php file for example. Becasue of all the "NSNized" fixes and tweaks, I have issues that are strictly exclusive to my site. Do not judge phpBB based solely on my locking them down.

phpBB has always been a thorn in my side when it comes to nuke, I have said it before and I'll say it again, PHP-Nuke should have never forced phpBB on the community. Chat does one hell of a job patching and securing the port but as a port it has inherint flaws that will cause issues. My problem and the reason for locking up the forums and private messages were they were/are breaking the rest of my site.

As for mr. burzi, let's just say he and I agree that we hate each other and leave it at that.

phpBB is a good system, so don't get me wrong, I just don't like it inside of nuke.

Posted: Tue May 24, 2005 2:58 pm

raven wrote:

Imo, there is no reason to be a fatalist about this Smile

LOL... that wasn't where I was coming from, but I see why it looks that way. I had simply thought that phpBB wasn't so problematic as to require shutting it off for such a knowledgeable user.

BobMarion wrote:

Let me express something here, NukeScripts does not run on a pure PHP-Nuke system and hasn't since the early days. My site doesnt have a modules.php file for example. Becasue of all the "NSNized" fixes and tweaks, I have issues that are strictly exclusive to my site. Do not judge phpBB based solely on my locking them down.

Thanks for the clarification, Bob. That's the info that I was unaware of -- it explains the situation well; I get it now.

And thanks again for the time you both put into PHP-Nuke; were it not for the security updates and scripts you work so hard to maintain my sites would have been hacked long ago. It's been an education learning how to keep a site running with Nuke, but luckily I haven't been forced to learn the hard way yet. Wink

Posted: Tue May 24, 2005 11:30 pm

Bob has decided to put the Forums back on line. See http://www.nukescripts.net/modules.php?name=News&file=read_article&sid=1687

Posted: Tue May 24, 2005 11:41 pm

raven wrote:

Bob has decided to put the Forums back on line.

Thanks, raven. Just saw that a bit ago, and glad of it I am.

And talking like Yoda I seem to be... hmmm, anticipating Episode 3 I might be. Wink

Posted: Wed May 25, 2005 12:37 am

In the forums errors I found. Working on it all day I spent. Late tonite the forums reopened I did Smile

phpBB port I now do hate Bang Head

Posted: Wed May 25, 2005 12:41 am

hehehehe, watched episode 2 last nite i did!

Posted: Wed May 25, 2005 6:32 am

More obvious than an error in phpnuke, that is ROTFL

Posted: Wed May 25, 2005 8:11 am

It's stuff like this that really makes me appreciate you guys! I came here this morning in a rather foul mood (unrelated to the site) and after reading these last few posts I couldn't help but chuckle...and what do you know? My fould mood has gone. Thanks guys! Smile