Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 29, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 685
Members: 0
Total: 685
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> PHP Nuke 7.7
Post new topic  Reply to topic View previous topic :: View next topic 
PHP Nuke 7.7
PostPosted: Sun Jul 10, 2005 10:38 am Reply with quote
engagedb
Regular user
Regular user
 
Joined: Jul 10, 2005
Posts: 7




Firstly, I'd like to thank WarAxe for providing us with this website where himself and many others have provided information that I've personally used to fix many holes I had no idea existed in PhpNuke, PhpBB, and others.

The reason I registered to post here, is my concern about PhpNuke 7.7

Numerous web sites and forums are complaining about its weaknesses, and none of its strength, I figured maybe I'm looking in the wrong places..

I'm posting here to ask simply, are they just trying to disrepute this version?

Where is the proof? Where is the truth? And most importantly if they know SO many holes, where is the FIX?

... I guess my main question is, Is PhpNuke 7.7 secure, or isn't it. I don't want to use it or have my clients using it, if it is truely as bad as I read.

-Thanks for your time Smile And keep up the great work.
(and another note, I read your post WarAxe, about Francisco taking your fix and removing the Credit, I agree he shouldn't have done it, I'd be equally angry)
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 12:51 pm Reply with quote
sp3x
Valuable expert
Valuable expert
 
Joined: Feb 15, 2005
Posts: 10




the code is open so there will be always some bugs.....
There is no public script that is 100% safe

PHPNuke is not secure.... why ? because a lot of code in some places are weak.... and i think the main problem of phpnuke is that they create filters to xss and sql inj that can be bypassed.... ok filter fine but why they also do not use php functions ... for example : addslashes or htmlspecialchars.
And another problem of phpnuke is that the phpnuke team ignore such bugs ( for example XSS) , they IGNORE the SECURITY in this script....
And for the fix you must wait long time...
or write fix yourself

that is my opinion
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:51 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




sp3x wrote:
the code is open so there will be always some bugs.....
There is no public script that is 100% safe

PHPNuke is not secure.... why ? because a lot of code in some places are weak.... and i think the main problem of phpnuke is that they create filters to xss and sql inj that can be bypassed.... ok filter fine but why they also do not use php functions ... for example : addslashes or htmlspecialchars.
And another problem of phpnuke is that the phpnuke team ignore such bugs ( for example XSS) , they IGNORE the SECURITY in this script....
And for the fix you must wait long time...
or write fix yourself

that is my opinion


hum, im not agree with your statement , about "the code is open so there will be always some bugs"

closed program also has it, even worst!
the closed operating system more n more worst about it

the code is open , yes many people will help to find the bug , but the patch found as quickly they found the bug , n the software are become more "relatively" secure .

i think the problem is , PHP nuke has grown too far, many proggrammer attach their module without doing any "security check" . i think thats the amin problem

CMIIW

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Jul 10, 2005 3:13 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Welcome aboard, engagedb Very Happy

Some of my thoughts:

1. Freeware/Opensource soft can be very secure and with great functionality, if it's have been in developement long time and if there are lot's of people, who contribute their free time to improve the product.
Good examples - linux kernel, apache webserver. Of course, there are always new security bugs to come out, but those products are very secure and stable in summary. It's result of the years long work by thousands of volunteers.
As time goes by and new bugs have been discovered in phpBB, then in result it will be more and more secure and stable. You know - if it is not killing you, then it will make you stronger Wink

2. Phpnuke - it is written insecurely from the beginning. Just look at very old phpnuke versions, like 4.x and 5.x and you will find very funny security bugs. Seems like oldest nuke versions were absolutely unsecured. Even phpnuke 6.x was full of sql injection cases. Some security has been started developing from 7.0 version, i think.

Now, all the thousands programmers, who are writing any kind of addons, modules, blocks, hacks, etc for phpnuke - they will look at original code and then program stuff in same way - insecure way.
I have seen phpnuke driven websites with newest phpnuke version, all pathes applied to engine, 3 or even 4 "antihack" systems installed and by closer look you can see VERY INSECURE modules in use - modules, where programmer has absolutely no clue about single quotes and stuff.
That's sad ...

3. Phpnuke 7.7 - i think, that i will take soon closer look at this specific nuke version. Let's see, what can i find out Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jul 11, 2005 11:28 am Reply with quote
engagedb
Regular user
Regular user
 
Joined: Jul 10, 2005
Posts: 7




Thanks for the welcome Smile

I'd like to say yes I've seen the same thing, a friend of mine used 4 phpNuke anti-hack scripts, and had taken advantage of renaming the Admin.php file, he got hacked and wanted to know how it happened, we found the bug (I can't remember now, was some weeks ago). And we also noticed one thing that really struck my fancy.

On the Php Nuke site they had posted about how the readme failed to mention you need to add the new Admin.php filename to Robots.txt, although if you do that, then anyone can simply go to www.sitename.com/robots.txt and see the name. Very confusing as to what the purpose is to even bothering hiding the filename? Lol.
View user's profile Send private message
PostPosted: Mon Jul 11, 2005 12:21 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




engagedb wrote:
On the Php Nuke site they had posted about how the readme failed to mention you need to add the new Admin.php filename to Robots.txt, although if you do that, then anyone can simply go to www.sitename.com/robots.txt and see the name. Very confusing as to what the purpose is to even bothering hiding the filename? Lol.


That's good one Laughing

I remember, that one of the RIAA hacking cases started with looking at robots.txt :

http://www.wbglinks.net/pages/reads/wbgreads/hacksexplained/hacksexplained05.html
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jul 11, 2005 12:44 pm Reply with quote
engagedb
Regular user
Regular user
 
Joined: Jul 10, 2005
Posts: 7




Lol ! Priceless, truely priceless
View user's profile Send private message
PHP Nuke 7.7
  www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.123 Seconds