Virgin 7.6 Install - Now what should I do to secure it?

Involved Joined: Aug 06, 2005 Posts: 301

Raven,

I have downloaded the following download from your site:

'PHPNuke v7.6 Patch Level v3.0b Recommend

PHP-Nuke: Advanced Content Management System
Patch Level 3.0b
============================================

November 2004: Version 7.6
==========================
- According with the email number 213080 to Dave Turner (GPL Compliance Engineer) from the Free Software Foundation, the copyright notices of PHP-Nuke has been changed in order to be 100% compliant with the GPL license section 2(c). This copyright notices can't be removed and the Commercial License becomes 100% compliant with the GPL license. Hope this is the end of the story for the people that doesn't understand a bit of the GPL. Again, if you want to legaly remove the copyright notices from PHP-Nuke generated pages you must purchase the Commercial License, see http://phpnuke.org/modules.php?name=Commercial_License for more details and stop complaining about this issue, the Commercial License is legal, GPL compliant and approved by the Free Software Foundation. End of story.
- Fixed administrator edit function that didn't show the authorized modules to administer. (Thanks to jaggura from http://www.whereiroost.com)
- Added FireFox (http://firefox.com) browser support for site's counter that will show in Statistics module.
- Added RSS feed support for FireFox browser's Live Bookmarks.
- By popular demand and to avoid some administration system non-authorized entries attempts, now you can just rename the file admin.php to whatever_you_want.php and set the name in config.php file. Doing this nobody knows what's your administration filename. Additionaly a new method of URL redirection has been added to hide the referer when you click on a link inside administration system. If you have old administration modules not compatible with this new system you'll get "Access Denied" message. If this is the case, leave the admin.php file with its original name while you modify the modules or get a new compatible version of it.
- Added a new folder called /includes/custom_files where, if exists the files custom_mainfile.php, custom_header.php and custom_footer.php they will be included from mainfile.php, header.php and/or footer.php respectively. Also the file /includes/my_header.php has been removed and added the new /includes/custom_files/custom_head.php for anything that should be between and html tags in the code. With this feature will be more easy to update a site without lost your custom changes. These files will not be shipped with PHP-Nuke to avoid possible overwritting when updating the code. (Thanks to André V. Escudero for the tip)
- Moved Forums administration to the module's folder (Thanks to Chatserv from http://www.nukeresources.com)
- Added an extra check to administrators/authors adition functions to grant access to the superuser only (Thanks to Chatserv from http://www.nukeresources.com)
- Fixed a search results bug in Forums module (Thanks to Chatserv from http://www.nukeresources.com)
- Fixed a bug in the 7.3 to 7.4 upgrade file for Sections module migration (Thanks to Chatserv from http://www.nukeresources.com)
- Changed the password generator in Your Account module. System generated passwords now are 3 letters, 2 numbers and 3 letters.
- Fixed update_points() function call to clickbanner() function on banners.php
- Changed anonymous permissions for broken link report and modification requests in Downloads and Web Links modules.

Version: 7.6pl3.0b
Compatibility: All
Filesize: 4.70 MB
Added on: May-18-2005
Downloads: 2641
Rating: 3.57 (3 Votes)

[ Rate ] - [ Broken ] - [ Details ]'

Is this not PHPNuke Version 7.6 with 3.0 patch? If it is not, PLEASE send me the exact URL for the correct PHPNuke Version 7.6 with 3.0 patch full downolad.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

You might want to do a file directory comparison to find out the exact differences. I suspect it might be something obvious (i.e. nothing to worry about) like language files. There are a number of good free file and directory comparison tools Only registered users can see links on this board! Get registered or login!. But I'd also recommend Only registered users can see links on this board! Get registered or login! for comparing files and directories, even via FTP (a great way to update a remote server after deploying patch changes, for example).

Posted: Sat Aug 06, 2005 8:58 pm

Raven,

I have downloaded the following download from your website:

'PHPNuke v7.6 Patch Level v3.0b Recommend

PHP-Nuke: Advanced Content Management System
Patch Level 3.0b
============================================

November 2004: Version 7.6
==========================
- According with the email number 213080 to Dave Turner (GPL Compliance Engineer) from the Free Software Foundation, the copyright notices of PHP-Nuke has been changed in order to be 100% compliant with the GPL license section 2(c). This copyright notices can't be removed and the Commercial License becomes 100% compliant with the GPL license. Hope this is the end of the story for the people that doesn't understand a bit of the GPL. Again, if you want to legaly remove the copyright notices from PHP-Nuke generated pages you must purchase the Commercial License, see http://phpnuke.org/modules.php?name=Commercial_License for more details and stop complaining about this issue, the Commercial License is legal, GPL compliant and approved by the Free Software Foundation. End of story.
- Fixed administrator edit function that didn't show the authorized modules to administer. (Thanks to jaggura from http://www.whereiroost.com)
- Added FireFox (http://firefox.com) browser support for site's counter that will show in Statistics module.
- Added RSS feed support for FireFox browser's Live Bookmarks.
- By popular demand and to avoid some administration system non-authorized entries attempts, now you can just rename the file admin.php to whatever_you_want.php and set the name in config.php file. Doing this nobody knows what's your administration filename. Additionaly a new method of URL redirection has been added to hide the referer when you click on a link inside administration system. If you have old administration modules not compatible with this new system you'll get "Access Denied" message. If this is the case, leave the admin.php file with its original name while you modify the modules or get a new compatible version of it.
- Added a new folder called /includes/custom_files where, if exists the files custom_mainfile.php, custom_header.php and custom_footer.php they will be included from mainfile.php, header.php and/or footer.php respectively. Also the file /includes/my_header.php has been removed and added the new /includes/custom_files/custom_head.php for anything that should be between and html tags in the code. With this feature will be more easy to update a site without lost your custom changes. These files will not be shipped with PHP-Nuke to avoid possible overwritting when updating the code. (Thanks to André V. Escudero for the tip)
- Moved Forums administration to the module's folder (Thanks to Chatserv from http://www.nukeresources.com)
- Added an extra check to administrators/authors adition functions to grant access to the superuser only (Thanks to Chatserv from http://www.nukeresources.com)
- Fixed a search results bug in Forums module (Thanks to Chatserv from http://www.nukeresources.com)
- Fixed a bug in the 7.3 to 7.4 upgrade file for Sections module migration (Thanks to Chatserv from http://www.nukeresources.com)
- Changed the password generator in Your Account module. System generated passwords now are 3 letters, 2 numbers and 3 letters.
- Fixed update_points() function call to clickbanner() function on banners.php
- Changed anonymous permissions for broken link report and modification requests in Downloads and Web Links modules.

Version: 7.6pl3.0b
Compatibility: All
Filesize: 4.70 MB
Added on: May-18-2005
Downloads: 2641
Rating: 3.57 (3 Votes)

[ Rate ] - [ Broken ] - [ Details ]'

Is this not PHPNuke Version 7.6 with Patch 3.0? If not, then PLEASE forward me the exact URL for the correct download.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I just d/l from that link.

d/l compressed file: 4.70 meg
Uncompressed: 12.3 meg
-- Size on disk: 20.3 meg
-- Number of files: 3,235
-- Number of folders: 263

There have been 2642 downloads. Don't you think that someone would have contacted me by now if there was really a problem?

Posted: Sat Aug 06, 2005 9:03 pm

Raven,

In addition to the download I have from your website being smaller in size, I also note that the Version 7.6 download from phpnuke.org contains 2,681 files.

The download I have from your website, (which I am assuming is correct and that I mentioned details of in my last message), only contains 466 files.

I assume I have done something wrong?! Please advise and if I do have the wrong download, provide me with the exact URL for downloading 'PHPNuke v7.6 WITH Patch Level v3.0b'

Posted: Sat Aug 06, 2005 9:12 pm

Raven,

I screwed up!

Apologies.

I have the '3.0 Patch Only' as well as 'PHPNuke version 7.6 WITH Patch 3.0 included' burnt to the same CD.

I was comparing the directory containing the '3.0 Patch Only' with the 'Version 7.6' download from the PHPNuke.org website.

Onwards and upwards.

I will install the correct Version on my server now and get back to you.

Posted: Sun Aug 07, 2005 6:09 am

Raven,

First of all, I would again like to take this opportunity to thank both yourself and Kevin for all the assistance you have provided so far, (an no doubt the further assistance that will be required on and off from now onwards).

I would like to point out that one major fact which did not help either of us, is the fact that after I had been given advise from Kevin, you suggested an 'alternative approach' would be more favorable, (i.e. to forget patching the 'regular phpnuke.org Version 7.6 files myself), but instead to download your version of PHPNuke Version 7.6, which already includes patch 3.0)

An additional complication is that I had never heard of NukeSentinal, hence I wasn’t sure of what this was exactly.

So onwards and upwards from here and now to recap where I presently am with this new installation, (with some additional facts included):

I use 'Yahoo! Small Business' for my web hosting and the server is Apache.

I now have all the files from your version of PHPNuke Version 7.6, (which already includes patch 3.0 and total 12.3 MB in size), unzipped and uploaded to my 'Yahoo! Small Business' Apache server.

The only 'problem I have had with uploading these files is that the server does not accept any of the .htaccess files but I understand this is common practice with many web hosts. As I understand it, this should not be a problem and I can proceed without these files being uploaded/ftped, but PLEASE would you confirm if I am correct or not. If I am not, please advise of a solution here, (other than changing host, which I cannot do for various reasons).

Just so there is no possible questionable facts, should I encounter any teething problems further down the line, I decided to delete and reinstalled a new MySQL Database, (using the 'PHPMyAdmin'software tool).

Once this was all done, I registered the God admin account on PHPNuke and the website and everything appears to work well...You will recall that one instant problem I had when installing Nuke Version 7.7 was that immediately after the installation had been completed, (and before and after the God admin account was created), blank pages were displayed on a couple of the main menu/module links. Anyhow, this problem does not appear to be present now).

I have now also begun to 'substitute' some of the graphics in the theme I am using, in order to customize the look of the website. Let me explain what I specifically mean by ''substitute' some of the graphics' a little further. Although I am a 'rookie' to PHP and all this Nuke Stuff, I want to have the site up and running very soon, but I also need to customize it from the standard themes look. So I felt it was best not to try and 'develop my own theme' in what I assume is a standard way of having to check many files and substitute the names of any new graphics I introduced. Instead, what I have done with any graphics I am creating and wanting to use on my site, is to name it the same as the one that is already included with current theme on the site and replace the existing graphic with the new one. So for example, even if I wanted to name my own logo at the top of the page 'tangomans_website_logo.gif', I am just naming it 'logo.gif', the same name as the logo supplied with the standard themes. Does that make sense? Incidentally I am eager to know if this practice is actually common and perhaps you can see a downfall to this that I have not yet thought about?

So as I continue to make a few more changes to some more graphics, I am also reading up on Nuke Sentinel.

Once I have received a response to my aforementioned questions I will write back for guidance with the installation process of Nuke Sentinel.

Finally for now, I realize that I am not the only person requiring answers here, (far from it, of course), but I would like this website online before the coming week is out. Your response times so far have been second to none and I hope this will continue over the next few days etc.

That’s all for now and I hope to hear from you again soon.

Posted: Sun Aug 07, 2005 8:37 am

Quote:

The only 'problem I have had with uploading these files is that the server does not accept any of the .htaccess files but I understand this is common practice with many web hosts. As I understand it, this should not be a problem and I can proceed without these files being uploaded/ftped, but PLEASE would you confirm if I am correct or not. If I am not, please advise of a solution here, (other than changing host, which I cannot do for various reasons).

This is NOT a common practice. It is a practice however and I would never host with someone who did not allow this. It SEVERELY limits your ability to do many important things, such as SEO by using short URL's.

Quote:

I am just naming it 'logo.gif', the same name as the logo supplied with the standard themes. Does that make sense? Incidentally I am eager to know if this practice is actually common and perhaps you can see a downfall to this that I have not yet thought about?

That is standard and required practice w/o modifying the theme code itself. It's intended to implement somewhat of a 'standard' across all themes, but as usual, it is not standard.

NukeSentinel does NOT require .htaccess but it is another level of website protection. I would be happy to discuss your hosting needs with you as I offer one of the most flexible, secure, and complete hosting packages that you will find. And, setup time is about 10 minutes Wink

Posted: Sun Aug 07, 2005 8:50 am

Raven,

You have explained that not uploading the .htaccess files '...limits your ability to do many important things...', one of which is SEO. Please can you define what the acronym 'SEO' stands for?

For various reasons I am presently unable to change web host, but may be in a position to do so somewhere in the not too distant future.

I want the website I am currently working to offer the following:

Limited access to non-members.

Full access to members who subscribe (by using the NukeRoyal add on).

I want members to be able to send one another private messages

I want members to have access to 'premium' multi-media content.

Will my current circumstance of not being able to upload .htaccess files, prevent me from achieving any of the aforementioned?

Posted: Sun Aug 07, 2005 8:59 am

Quote:

Will my current circumstance of not being able to upload .htaccess files, prevent me from achieving any of the aforementioned?

Not to my knowledge.

Search Engine Optimization

Posted: Sun Aug 07, 2005 9:44 am

Raven,

Thanks for your most recent reply.

Next, now that I am using your patch 3.0 version of PHPNuke 7.6 and intend to add Nuke Sentinal, I am just wondering if, when alowing people to post on my website, I should still disable html in the posts. I have been reading how this can open all kinds of security risks, specifically with malicious coding or something.

Posted: Sun Aug 07, 2005 9:47 am

tangoman wrote:

Raven,

Thanks for your most recent reply.

Next, now that I am using your patch 3.0 version of PHPNuke 7.6 and intend to add Nuke Sentinal, I am just wondering if, when alowing people to post on my website, I should still disable html in the posts. I have been reading how this can open all kinds of security risks, specifically with malicious coding or something.

Always

!

Posted: Sun Aug 07, 2005 9:53 am

Many search engines do not look at pages linked with long URLs or URLs that contain characters like ? and & which are commonly used in PHP-Nuke. To optimize dynamic pages for search engines, Apache offers a technical called URL rewriting that allows a long URL like

Code:

modules. php?name=Forums&file=viewtopic&p=44128

to appear as a short URL like

Code:

postp44128.html

However, this technique requires the use of the .htaccess file, which can also be used to block IPs by NukeSentinel. However, NukeSentinel can block IPs without using the .htaccess file.

As for disabling HTML, the forums using a safer approach called BBCode which involves different tags like

Code:

[url=]

instead of

Code:

<a href=>

One of the problems with PHP-Nuke 7.7 and 7.8, is that HTML checking to prevent bad HTML is turned OFF. Version 7.6 has a more restricted list of allowable HTML. You should not need to make any changes to protect against bad HTML in version 7.6.

Posted: Sun Aug 07, 2005 10:07 am

Raven,

Your response was a more direct 'Always' for turning HTML off (in the PHPNuke version 7.6 with 3.0 patch, that I have downloaded from you).

It apears that again Kevins advise is a little different to yours.

Any comments?

Posted: Sun Aug 07, 2005 10:18 am

Not really, it's just semantics. If you look at your forum options you have 2 separate options. You can either allow TRUE HTML and/or BBCode. By using BBCode, you have a SAFE way of substituting BBCode for HTML. That's why I said to turn off HTML. Kevin reinforced this by saying to use BBCode.

Posted: Sun Aug 07, 2005 11:19 am

Raven,

I did think that all the files other than the .htacess files had uploaded succesfully to my server.

However I note that the following files also did not upload:

html\themes\fisubice\forums\orig overall_footer.tpl

html\themes\fisubice\forums\orig overall_footer.tpl\orig overall_header.tpl

The reason these are failing to ftp to the server sucessfully, is clearly that their names have a space in them. Why is this and what should I do?

Posted: Sun Aug 07, 2005 12:18 pm

Raven,

In addition to my last message, I am experiencing the following error:

phpBB : Critical Error

Error creating new session

DEBUG MODE

SQL Error : 1054 Unknown column 'session_admin' in 'field list'

INSERT INTO nuke_bbsessions (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) VALUES ('764283b18031cf0856e13c69296fcef0', '2', '1123438501', '1123438501', '540958ca', '0', '1', '0')

Line : 203
File : sessions.php

This error is displayed when I click on either of the following Menu Links/Modules:

'Private Messages'

'Members List'

It also appears if you entre the user account, (instead of being logged in as GOD Admin) and click 'Private Messages'.

What is the problem and solution?

Posted: Sun Aug 07, 2005 12:36 pm

'****STOP PRESS****'

Raven,

Following on from my last post here about the error being received, I had a further look in the forums on this website and noted a couple of other similar postings.

From what I read, I understood that I needed to 'Run' the 'upgrade.php' file that is sitting on my server and was uploaded with everything else during ftping.

I was not sure exactly what I had to to to 'run' the file, so I simply opened it from a browser window. The 'upgrade.php' file appeared as a text file in my browser and I then closed it and refreshed my other browser window with my PHP-Nuke website and the error. When the page refreshed the error had dissapeared from the locations/modules I previosuly mentioned it was displayed in.

Everything now apppears to be just fine. Did I do that correctly?

Posted: Sun Aug 07, 2005 1:34 pm

Yes

Posted: Sun Aug 07, 2005 1:36 pm

Raven,

Thanks for your last reply.

Please would you address the post I made stamped: Mon Aug 08, 2005 3:19 am

It reads:

Raven,

I did think that all the files other than the .htacess files had uploaded succesfully to my server.

However I note that the following files also did not upload:

html\themes\fisubice\forums\orig overall_footer.tpl

html\themes\fisubice\forums\orig overall_footer.tpl\orig overall_header.tpl

The reason these are failing to ftp to the server sucessfully, is clearly that their names have a space in them. Why is this and what should I do?

Posted: Sun Aug 07, 2005 1:45 pm

'****STOP PRESS****'

Raven,

Following on from my last post here about the error being received, I had a further look in the forums on this website and noted a couple of other similar postings.

From what I read, I understood that I needed to 'Run' the 'upgrade.php' file that is sitting on my server and was uploaded with everything else during ftping.

I was not sure exactly what I had to to to 'run' the file, so I simply opened it from a browser window. The 'upgrade.php' file appeared as a text file in my browser and I then closed it and refreshed my other browser window with my PHP-Nuke website and the error. When the page refreshed the error had dissapeared from the locations/modules I previosuly mentioned it was displayed in.

Everything now apppears to be just fine. Did I do that correctly?

Posted: Sun Aug 07, 2005 2:04 pm

Whoever did an upgrade to those files simply renamed them incorrectly. You don't need them, but if you want to upload them, just replace the space with a dash.

Even though support is free on this site, we do operate a quite hefty expense to provide the site and its services. Donations are always needed and welcomed Wink

Posted: Sun Aug 07, 2005 2:37 pm

Raven,

For the record, I would like to make it known that a 'donation' had been anticipated. I did want that to happen without you having to 'hint', in order to show my sincere appreciation for all your support etc, however after my protracted enquiries I do understand your comment being made at this time, moreover I think it is perfectly in order.

I will be making an initial small donation in the next few days, circa the launch date of this new website, (August 15 2005). However I did want to delay any such monies being paid a little longer, as I want to take into account ALL the help that is given by you and your website, thus decide on an appropriate sum. For this reason, in due course, a further sum will subsequently be donated.

Moving on, I did realize that in order to successfully ftp the files that have a space in their names (and that would not transfer), I would have to delete the space or substitute it with a character, (usually an underscore). The problem was simply that I did not know what the new name should be. Just out of interested, what are the files for if they are not required?

Next, as I previously explained, subsequent to installing your prepatched version 7.6 of PHP-Nuke I have not created the database, created the God admin account and selected to create a user name with the God admin details. I have also begun to load my own graphics and ‘substitute’ the included ones. The fundamental question here is, ‘can I continue to customize PHP-Nuke now and worry about adding NukeSentinel’ at a later time, (just before launching the website/releasing the website URL into the public domain)?

Posted: Sun Aug 07, 2005 2:52 pm

I think you're overreacting to the "hint", but let's leave it there.

NukeSentinel is optional.

As I said, someone upgraded those 2 files and renamed the originals for backup. I have no idea who did that for you.

Posted: Sun Aug 07, 2005 3:10 pm

Raven,

To quote, you explain, '...As I said, someone upgraded those 2 files and renamed the originals for backup. I have no idea who did that for you....'. By mentioning '...I have no idea who did that for you...', you are making it sound as though this was something done locally where I am, (ie after dowloading all the files from your website. I just want to make sure you understand that these two files are present in the Version 7.6 with 3.0 patch that I downloaded from your webeite.