| Author |
Message |
valdarez
Worker
Joined: Jan 22, 2007
Posts: 104
|
 Posted:
Tue Feb 13, 2007 5:28 pm |
|
When I first installed Nuke on version 7.5 I read several posts that indicated I should disable the Journal due to security vulnerabilities. Is that still the case for version 7.6, or more importantly, for the RavenNuke 2.02.02 distro? I would like to add some type of 'blog' feature for the website and the Journal seems the natural choice. (I'm open to other alternatives whether free or commercial)
Edit: Junk, wrong forum. Can someone move this to the 2.02.02 forum please? |
| |
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Tue Feb 13, 2007 7:08 pm |
|
I don't know what the security vulnerabilities are with Journal and I've never used it so I can't address the first part of your question. I do know that I'd probably wait just a bit for 2.10 before implementing new features.
On the blog, what I did on the site I'm webmaster for was to create a new news story category called "blog". Then if a user wants a blog he can just submit news and you can classify the article under blog. As long as the story is not associated with the "article" category you have the option to not show it on the home page. So, if a user writes a series of "blog" entries you can just put the most recent one on the home page and have the rest in the stories archive. Then if you click on blog you'll see all the articles in that category. Occurs to me as I'm typing that you could also create categories like blog_user1, blog_user2 if you wanted to keep them separate.
This may not be what you want, I just throw it out as an idea. |
| |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Tue Feb 13, 2007 11:23 pm |
|
valdarez, unfortunately I am not sure. My "gut" tells me "yes" because the upcoming 2.10.00 release has ALL the latest patches and kguske did some work, I think, to straighten out the editor, but I am not sure any of us could say anything is 100%... we are ALL humor and "to err is human". |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
valdarez
|
| Posted:
Tue Feb 13, 2007 11:59 pm |
|
| montego wrote: | | valdarez, unfortunately I am not sure. My "gut" tells me "yes" because the upcoming 2.10.00 release has ALL the latest patches and kguske did some work, I think, to straighten out the editor, but I am not sure any of us could say anything is 100%... we are ALL humor and "to err is human". |
Was the humor typo a freudian slip to prove your error point?  |
| |
|
|
|
|
montego
|
| Posted:
Wed Feb 14, 2007 12:21 am |
|
You will never know for sure...  |
| |
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Wed Feb 14, 2007 6:53 am |
|
The changes we made were to address the use of a kses filter class that sixonetonoffun added to increase security. Since we were using kses for nukeWYSIWYG, we had to resolve the conflict. Even though I did not test it for security, I believe six did. |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
valdarez
|
| Posted:
Fri Feb 16, 2007 3:26 pm |
|
It's my understanding that Raven is meant to be an extremely secure release of the PHPNuke code base. That would lead me to believe all built in module's should be inherently secure if all of the patches are up to date. There doesn't seem to be any patches for the Journal. It just worries me that it supports HTML and I have read several security posts/threads warning to disable all HTML in PHPNuke. It sounds like you guys are giving it a tentative 'I think it's secure' endorsement? |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Fri Feb 16, 2007 5:36 pm |
|
On the other side of the coin, I have heard of no reports where a successful exploit was performed using the Journal module where the FCK WYSIWYG is integrated. But whatever you decide, unless you want tons of spam, ensure the module access is set for registered users at the minimum. |
| |
|
|
|
kguske
|
| Posted:
Fri Feb 16, 2007 10:14 pm |
|
Your understanding is correct - at least the first part. RavenNuke has the latest security patches, NukeSentinel and more, which make it more secure than standard, unpatched Nuke distributions. With nukeWYSIWYG (specifically, the kses HTML filter class), it is much more than Nuke 7.7 and higher where HTML checking was basically disabled.
The version of the Journal module included in RavenNuke, though hardly used and not as thoroughly tested as other modules, was enhanced by Sixonetonoffun to use the kses filter class (among other things), in addition to the other security enhancements included in RavenNuke (mainly NukeSentinel) that protect all modules.
Does that mean we certify this module to be secure and protected from any and all attacks and configuration, shall we say, mistakes? Of course not. Security is a journey - not a destination. People will come up with new ways to circumvent or break built in protections, and we must be vigilant in identifying and addressing those issues.
In short, if I were using an unpatched distribution without NukeSentinel and an HTML filter class / function like kses (there are other good options, too), I would disable all HTML. Then again, even that wouldn't fully protect the site. But with with all the enhancements and testing done on RN, you should be significantly less likely to have a successful attack using the Journal module. Clear as mud? |
| |
|
|
|
|
montego
|
| Posted:
Sat Feb 17, 2007 9:02 am |
|
And, one additional comment, and NOT to take away from kguske's excellent response because this is just a general cautionary note! Just because you have NukeSentinel and the new kses, this does NOT protect you when you install poorly written add-on modules and hacks. This is why it is each admin's responsibility to know what they are installing and take personal resonsibility for it. That is what OpenSource / free is all about.. the responsibility lies with YOU.
Regards,
montego |
| |
|
|
|
|
valdarez
|
| Posted:
Sat Feb 17, 2007 11:45 am |
|
| montego wrote: | And, one additional comment, and NOT to take away from kguske's excellent response because this is just a general cautionary note! Just because you have NukeSentinel and the new kses, this does NOT protect you when you install poorly written add-on modules and hacks. This is why it is each admin's responsibility to know what they are installing and take personal resonsibility for it. That is what OpenSource / free is all about.. the responsibility lies with YOU.
Regards,
montego |
Understood monetgo. I only had other nodes installed when the site was first hacked, Shoutcast and the Donations node. I failed to keep the forums up to date. I think the first time it was hacked we were on the .07 patch, when .13 was available, and this last time we were hacked I was on the .13 patch when .22 was available. A really nice to have feature that could be added to a future version of phpnuke is the ability for phpnuke to check for new patches/version of the various modules and send an email to the administrator.
In regards to the filder class / nukeWYSIWYG editor. Is it disabled by default? I have the Journal running so the Administrator can view it and it's just using the stanard editor. |
| |
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
| Posted:
Sun Feb 18, 2007 8:33 am |
|
nukeWYSIWYG is not integrated with the Journal module in 2.02.02, but it will be in the new 2.10.0. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
