Waraxe IT Security Portal
Login or Register
July 14, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 239
Members: 0
Total: 239
Full disclosure
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
SEC Consult SA-20240620-0 :: Arbitrary File Upload in edu-sharing (metaVentis GmbH)
Zip Slip meets Artifactory: A Bug Bounty Story
Backdoor.Win32.Plugx / Insecure Permissions
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> PHP Nuke 7.7
Post new topicReply to topic View previous topic :: View next topic
PHP Nuke 7.7
PostPosted: Sun Jul 10, 2005 10:38 am Reply with quote
engagedb
Regular user
Regular user
Joined: Jul 10, 2005
Posts: 7




Firstly, I'd like to thank WarAxe for providing us with this website where himself and many others have provided information that I've personally used to fix many holes I had no idea existed in PhpNuke, PhpBB, and others.

The reason I registered to post here, is my concern about PhpNuke 7.7

Numerous web sites and forums are complaining about its weaknesses, and none of its strength, I figured maybe I'm looking in the wrong places..

I'm posting here to ask simply, are they just trying to disrepute this version?

Where is the proof? Where is the truth? And most importantly if they know SO many holes, where is the FIX?

... I guess my main question is, Is PhpNuke 7.7 secure, or isn't it. I don't want to use it or have my clients using it, if it is truely as bad as I read.

-Thanks for your time Smile And keep up the great work.
(and another note, I read your post WarAxe, about Francisco taking your fix and removing the Credit, I agree he shouldn't have done it, I'd be equally angry)
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 12:51 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




the code is open so there will be always some bugs.....
There is no public script that is 100% safe

PHPNuke is not secure.... why ? because a lot of code in some places are weak.... and i think the main problem of phpnuke is that they create filters to xss and sql inj that can be bypassed.... ok filter fine but why they also do not use php functions ... for example : addslashes or htmlspecialchars.
And another problem of phpnuke is that the phpnuke team ignore such bugs ( for example XSS) , they IGNORE the SECURITY in this script....
And for the fix you must wait long time...
or write fix yourself

that is my opinion
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:51 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




sp3x wrote:
the code is open so there will be always some bugs.....
There is no public script that is 100% safe

PHPNuke is not secure.... why ? because a lot of code in some places are weak.... and i think the main problem of phpnuke is that they create filters to xss and sql inj that can be bypassed.... ok filter fine but why they also do not use php functions ... for example : addslashes or htmlspecialchars.
And another problem of phpnuke is that the phpnuke team ignore such bugs ( for example XSS) , they IGNORE the SECURITY in this script....
And for the fix you must wait long time...
or write fix yourself

that is my opinion


hum, im not agree with your statement , about "the code is open so there will be always some bugs"

closed program also has it, even worst!
the closed operating system more n more worst about it

the code is open , yes many people will help to find the bug , but the patch found as quickly they found the bug , n the software are become more "relatively" secure .

i think the problem is , PHP nuke has grown too far, many proggrammer attach their module without doing any "security check" . i think thats the amin problem

CMIIW

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Jul 10, 2005 3:13 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Welcome aboard, engagedb Very Happy

Some of my thoughts:

1. Freeware/Opensource soft can be very secure and with great functionality, if it's have been in developement long time and if there are lot's of people, who contribute their free time to improve the product.
Good examples - linux kernel, apache webserver. Of course, there are always new security bugs to come out, but those products are very secure and stable in summary. It's result of the years long work by thousands of volunteers.
As time goes by and new bugs have been discovered in phpBB, then in result it will be more and more secure and stable. You know - if it is not killing you, then it will make you stronger Wink

2. Phpnuke - it is written insecurely from the beginning. Just look at very old phpnuke versions, like 4.x and 5.x and you will find very funny security bugs. Seems like oldest nuke versions were absolutely unsecured. Even phpnuke 6.x was full of sql injection cases. Some security has been started developing from 7.0 version, i think.

Now, all the thousands programmers, who are writing any kind of addons, modules, blocks, hacks, etc for phpnuke - they will look at original code and then program stuff in same way - insecure way.
I have seen phpnuke driven websites with newest phpnuke version, all pathes applied to engine, 3 or even 4 "antihack" systems installed and by closer look you can see VERY INSECURE modules in use - modules, where programmer has absolutely no clue about single quotes and stuff.
That's sad ...

3. Phpnuke 7.7 - i think, that i will take soon closer look at this specific nuke version. Let's see, what can i find out Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jul 11, 2005 11:28 am Reply with quote
engagedb
Regular user
Regular user
Joined: Jul 10, 2005
Posts: 7




Thanks for the welcome Smile

I'd like to say yes I've seen the same thing, a friend of mine used 4 phpNuke anti-hack scripts, and had taken advantage of renaming the Admin.php file, he got hacked and wanted to know how it happened, we found the bug (I can't remember now, was some weeks ago). And we also noticed one thing that really struck my fancy.

On the Php Nuke site they had posted about how the readme failed to mention you need to add the new Admin.php filename to Robots.txt, although if you do that, then anyone can simply go to www.sitename.com/robots.txt and see the name. Very confusing as to what the purpose is to even bothering hiding the filename? Lol.
View user's profile Send private message
PostPosted: Mon Jul 11, 2005 12:21 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




engagedb wrote:
On the Php Nuke site they had posted about how the readme failed to mention you need to add the new Admin.php filename to Robots.txt, although if you do that, then anyone can simply go to www.sitename.com/robots.txt and see the name. Very confusing as to what the purpose is to even bothering hiding the filename? Lol.


That's good one Laughing

I remember, that one of the RIAA hacking cases started with looking at robots.txt :

http://www.wbglinks.net/pages/reads/wbgreads/hacksexplained/hacksexplained05.html
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jul 11, 2005 12:44 pm Reply with quote
engagedb
Regular user
Regular user
Joined: Jul 10, 2005
Posts: 7




Lol ! Priceless, truely priceless
View user's profile Send private message
PHP Nuke 7.7
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.124 Seconds