Chapter 65. Securing PHP-Nuke

Previous page
Table of content
Next page


PHP-Nuke has a bit of a nasty reputation when it comes to security, but it's not all bad news. For one, later versions7.3 and beyondreally correct a lot of bugs. A forthcoming version, 7.5 (which should be out by the time you read this), promises to focus heavily on security.

So how bad is it? Well, I don't know that a Fortune 500 company wants to run their public, commercial Web site on PHP-Nukebut PHP-Nuke was never designed with that in mind. One technique is to ban the IP addresses of folks who try to hack your Web site, a feature being added to PHP-Nuke in the 7.4 to 7.5 timeframe (although PHP gurus can modify the PHP-Nuke files in earlier versions to add IP banning). You can also talk to your Web hosting service about banning IP addresses; some may offer a feature for doing so.

Another way is to disable uploads to your Web site. PHP-Nuke includes only a couple of upload capabilitiesnamely, in the forums' avatar graphics. Disable that feature, and you'll close a lot of potential vulnerabilities (see the topics on Forum Administration for details on doing so).

A good way to test for vulnerabilities is to run the current version of the analyze.php script, which you simply upload to your Web site and then visit as if it were a normal Web page (point your Web browser to it, in other words). You can get the script from http://phpnuke.org/modules.php?name=PHP-Nuke_HOWTO&page=test-scripts.html or http://nukecops.com/downloads-file-13-details-Analyzer.html.

By the Way

The Nuke Cops Web site, www.nukecops.com, is a great site to visit regularly. It's the official site of the PHP-Nuke development team, so lots of goodies tend to pop up there.


Keep in mind that a PHP-Nuke Web site has a number of vulnerability points, and you'll need to regularly check for security updates to each of them:

  • PHP-Nuke itself. Download fixes from www.phpnuke.org or www.nukeresources.com.

  • Your database engine, which is typically MySQL. Go to www.mysql.com for details, or, if you're using a hosting provider, ask them to install any outstanding security fixes.

  • Your Web server, which is usually Apache. Hosting providers should be installing the latest fixes for you; ask them if they have. The official Web site, www.apache.org, highlights recent fixes.

  • The PHP-Nuke language, which is documented at www.php.net. Again, this is something a hosting provider should keep updated, if you're using one.

  • Your server operating system, which varies. Hosting providers will need to keep this up-to-date.

Another security trick: Open your site's config.php file and change the security key from the default. In fact, do this as soon as you start using your site. You can change the $sitekey variable to contain anything you want, but don't leave it at the default, and don't use a simple word or phrasemake it at least as long as it started out.

In the forums, disable HTML and enable BBcode. BBcode provides similar formatting features while avoiding the security concerns associated with HTML in forums posts. To help eliminate file uploads, remove the modules/WebMail/ mailattach.php file (it won't be present unless you've installed or upgraded from an older version). You'll find a number of other good security tips at http://phpnuke.org/modules.php?name=PHP-Nuke_HOWTO&page=security-measures.html.

Scared yet? Let's look at the absolutely worst-case scenario: Your site is hacked. Depending on the hacker, three things can occur:

  • The hacker will learn information about your site, up to and including encrypted user passwords. Using relatively straightforward (although somewhat time-consuming) techniques, hackers can turn encrypted passwords into clear-text passwords. Because many users will use the same password everywhere on the Internet, the hacker could then attempt to log on to other Web sites, impersonating your users.

  • Slightly less bad, the hacker defaces your Web site. This can be undone by resorting to your backups. You did make backups, right? I showed you how in Topic 43, "Backing Up Your Site and Database."

  • Similarly, the hacker could wipe out your Web site. See Topic 43 for details on restoring your site from your backups. I know you made backups.

How much of this is a problem? Well, obviously, giving away your user passwords is pretty bad. But honestly, it's why your users should use different passwords for each site, no matter how painful that is. Try to help your users understand that, and you'll be doing them a big favor. Having your Web site wiped out or defaced is bad, but how bad depends on the Web site. If you're just using the Web site to share information on games or cooking, it'll be more frustrating that catastrophic; if you use PHP-Nuke to host an ultrasecure Web site where CIA spies check in, then you're probably kidding yourself. Use something different (but send me your site address first, please).

The very, very, very best thing you can do is to upgrade to new versions of PHP-Nuke, since each incorporates new security fixes. I'm pretty lazy about upgrading, skipping two to three versions at a time. But you'll do better because you care about security. I cover upgrading in Topic 66, "Upgrading PHP-Nuke," by the way, and you'll find it to be a fun and invigorating process. Well, at least not a difficult process.

So is that all I have to say about security? Well, um, yeah. It's not that security isn't importantbelieve me, I get on top of tables all the time and yell about itit's just that it's complicated. Stuff like cross-site scripting, path disclosure, and so forth is interesting only if you're in the industry. If you're just planning to use PHP-Nuke to put up a small portal site with a few thousand users or so, you're probably going to be fine, as long as you follow some of the practical advice I outlined here, keep updated on PHP-Nuke versions, and select a Web host that'll work to keep their software patched and updated.

Another consideration is that, while PHP-Nuke doesn't have perfect security, there's not much you're going to be able to do about it. It is what it is; you kind of have to either accept the product as is and continue to upgrade as it gets better, or you'll have to decide not to use it. PHP-Nuke has continued to become more and more secure, but it will probably always have flaws. All software has flaws. The ever-changing nature of PHP-Nuke makes it difficult to even keep up with the flaws that have been fixed, although www.phpnuke.org is a good place to start reviewing that information.


    Previous page
    Table of content
    Next page
    PHP-Nuke Garage
    PHP-Nuke Garage
    ISBN: 0131855166
    EAN: 2147483647
    Year: 2006
    Pages: 235
    Authors: Don Jones
    BUY ON AMAZON
    CISSP Exam Cram 2
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    SQL Hacks
    Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
    After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
    What is Lean Six Sigma
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy