Looking for a reference (i.e., URL, article, etc.) on this subject.
Printable View
Looking for a reference (i.e., URL, article, etc.) on this subject.
try this site:
http://www.cccure.org/
A security site using PHPNUKE...Ironical?Quote:
Great info there.
it's one of the premiere CISSP study sites.
why your comment? is PHPNUKE a bad thing?
PHPNUKE is known to have many security problems in the past.Quote:
Originally posted here by secure_lockdown
it's one of the premiere CISSP study sites.
why your comment? is PHPNUKE a bad thing?
The site content is great, as I stated but the fact that the site uses PHPNUKE is
surprising.
A google for "phpnuke security" and/or "bugtraq phpnuke" will show examples.
Also try http://www.sans.org especially the reading room i.e. http://www.sans.org/rr/
Off topic.
Past, Present, Future...Quote:
PHPNUKE is known to have many security problems in the past.
it is present on all butraqs.... Good software, but it has a lot of "holes". I run a security site with phpnuke too :(
And that sends your login credentials in plaintext.Quote:
Don't forget about the links to other similar threads at the bottom of every thread..........
Not all are relevant, but just occasionally, you hit paydirt.
[off topic] it might just be me........... but I prefer a post / question with a little more meat on its bones than this one
Come on Bonnie, try harder next time....................Quote:
Looking for a reference (i.e., URL, article, etc.) on this subject.
It IS the difference between red and green.
Also: Google your title for 3.7 MILLION hits........
http://www.google.com/search?sourcei...ecurity+Theory
Good day to all,
I have noted this forum in my referrals lately and was glad to see some discussions about cccure.org on AntiOnline.
Why PHPNuke? This is really a big question. Five years ago when I was investigating tools to setup a portal it was the most user friendly that I could find and once you have spent the number of hours that I have spent in filling it up, it is tough to switch to something else.
Does PHPNUke has security issues? YES it does have many of them, yesterday there was another SQL Injection through the Top 10 Modules announce. This seems to be common with a lot of PHP based portals where there are lots of functionality. Modules are being contributed by people wordwide and NOT all developers are security professionals. In order to make nuke a bit more secure there are lots of steps that can be taken, I am trying my best with IDS, port scan attack detection, and a few other tools. However, my focus in NOT on web development but more on content. I need a tool that allow me to input new material easily while helping me to automate the management side of the portal. I do not have the money to buy Oracle Portal or any of the commercial portal sold per seat.
I am most definitively open to recommendations here, I saw lots of posting about HOW BAD nuke is but I have NOT seen any suggestion for a SECURE replacement that will cost me the same price and give me the same level of functionality. If such a beat does exist, please do let me know.
The mention of sending Username and Password in clear text is an old debate that does come up once in a while. There are tons of replacement and plugins to provide better authentication, however the site is 100% open, you do not need to register to get access to any of the resources. It is all available to anonymous users. Once again, it is prohibitive to use something such as strong authentication, certificates, smart card, or other type of authentication when you do not even know who a person is in the first place. An email address has next to no value for authentication. To implement a system with true authentication I would have to charge a fee proportionnal to the cost of acquisition and maintenance. If there are good PHP programmers willing to help out there, I always accept and take advice very openly when they can help me secure my site.
Best regards to all
Clement
Maintainer of www.cccure.org