|
-
October 10th, 2004, 01:29 PM
#1
Junior Member
Information Security Theory
Looking for a reference (i.e., URL, article, etc.) on this subject.
-
October 10th, 2004, 01:58 PM
#2
-
October 10th, 2004, 03:29 PM
#3
A security site using PHPNUKE...Ironical?
Great info there.
-
October 10th, 2004, 05:09 PM
#4
it's one of the premiere CISSP study sites.
why your comment? is PHPNUKE a bad thing?
-
October 10th, 2004, 08:20 PM
#5
Originally posted here by secure_lockdown
it's one of the premiere CISSP study sites.
why your comment? is PHPNUKE a bad thing?
PHPNUKE is known to have many security problems in the past.
The site content is great, as I stated but the fact that the site uses PHPNUKE is
surprising.
A google for "phpnuke security" and/or "bugtraq phpnuke" will show examples.
-
October 11th, 2004, 12:11 PM
#6
Senior Member
Also try http://www.sans.org especially the reading room i.e. http://www.sans.org/rr/
****** Any man who knows all the answers most likely misunderstood the questions *****
-
October 11th, 2004, 01:23 PM
#7
Off topic.
PHPNUKE is known to have many security problems in the past.
Past, Present, Future...
it is present on all butraqs.... Good software, but it has a lot of "holes". I run a security site with phpnuke too 
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
October 11th, 2004, 10:37 PM
#8
Senior Member
Originally posted here by ss2chef
A security site using PHPNUKE...Ironical?
And that sends your login credentials in plaintext.
-
October 11th, 2004, 11:38 PM
#9
Don't forget about the links to other similar threads at the bottom of every thread..........
Not all are relevant, but just occasionally, you hit paydirt.
[off topic] it might just be me........... but I prefer a post / question with a little more meat on its bones than this one
Looking for a reference (i.e., URL, article, etc.) on this subject.
Come on Bonnie, try harder next time....................
It IS the difference between red and green.
Also: Google your title for 3.7 MILLION hits........
http://www.google.com/search?sourcei...ecurity+Theory
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
April 7th, 2005, 07:44 PM
#10
Junior Member
www.cccure.org
Good day to all,
I have noted this forum in my referrals lately and was glad to see some discussions about cccure.org on AntiOnline.
Why PHPNuke? This is really a big question. Five years ago when I was investigating tools to setup a portal it was the most user friendly that I could find and once you have spent the number of hours that I have spent in filling it up, it is tough to switch to something else.
Does PHPNUke has security issues? YES it does have many of them, yesterday there was another SQL Injection through the Top 10 Modules announce. This seems to be common with a lot of PHP based portals where there are lots of functionality. Modules are being contributed by people wordwide and NOT all developers are security professionals. In order to make nuke a bit more secure there are lots of steps that can be taken, I am trying my best with IDS, port scan attack detection, and a few other tools. However, my focus in NOT on web development but more on content. I need a tool that allow me to input new material easily while helping me to automate the management side of the portal. I do not have the money to buy Oracle Portal or any of the commercial portal sold per seat.
I am most definitively open to recommendations here, I saw lots of posting about HOW BAD nuke is but I have NOT seen any suggestion for a SECURE replacement that will cost me the same price and give me the same level of functionality. If such a beat does exist, please do let me know.
The mention of sending Username and Password in clear text is an old debate that does come up once in a while. There are tons of replacement and plugins to provide better authentication, however the site is 100% open, you do not need to register to get access to any of the resources. It is all available to anonymous users. Once again, it is prohibitive to use something such as strong authentication, certificates, smart card, or other type of authentication when you do not even know who a person is in the first place. An email address has next to no value for authentication. To implement a system with true authentication I would have to charge a fee proportionnal to the cost of acquisition and maintenance. If there are good PHP programmers willing to help out there, I always accept and take advice very openly when they can help me secure my site.
Best regards to all
Clement
Maintainer of www.cccure.org
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
