A short article on how php-nuke.org knowingly releases a vulnerable and easy to hack product and how it puts webmasters in a compromising situation.
I have been around the nuke development community for some time now, more so lately in nuke evolution. I have always been apart of the other faction, the ones who fix Burzi's work, patch all flaws, and better the code. Sites like ravenphpscripts.com, nuke-evolution.com, and nukefixes.com are the ones who have provided the community with a safe and secure nuke versions and various other modifications.
Despite all this none of them are mainstream sites, most go straight to phpnuke.org with their pop ups and flashing ads everywhere and they download the latest version assuming it is secure and all flaws and exploits fixed. Or they just use the scripts installer on their control panel and assume the same. This often proves a big mistake because all nuke versions on phpnuke.org and on the scripts installer are all vulnerable about 3 types of sql injection, some more and at least 10-15 remote command executions.
All time the author Fransico Burzi has been notified and can see any unskilled defacer can deface a nuke site easily. They are even charging for the 7.9 version which is against gpl, they claim it has new security features and is patched thoroughly and it is not. I think if someone starts a project like this they must keep their apps up to date and most cms developers do. Very few leave their apps vuln to so many things. The problem is now that php-nuke is largely popular and if you go on their site you can see there is 1000 people online at any given time and you also see it is on every scripts installers. With the makers of those installers eiter knowing it's dangerous but continuing to offer it because it is so popular or they assume the same and most, that since it is the latest version it must be safe.
Installing stock php-nuke from phpnuke.org or any scripts installer is like pointing a loaded gun at your domain, you will most definitely be hacked. Most people think, oh well, Ill restore my backups, etc; But what most do not know is that most likely the hacker has obtained their database which has all emails and passwords of their users. And as most people on the internet use easily cracked universal passwords then most likely your members will start losing their email, paypal, and other accounts, All because you installed such a weak and vulnerable web app on your domain.
I am a strong believer that any webmaster that offers a community site where emails and passwords are stored must keep up to date and patch their software. But the thing about php nuke is that if you stay up to date at the makers site you are still in danger. You must go to the other nuke fork sites to obtain the patches and fixes. How ridiculous is this? Burzi has known for some time that people such as Chatserv, Evaders and Raven have been fixing his apps forever and he is too arrogant or ignorant to make the fixes and he does not offer any advice or links to those sites on his.
Even with mod security and a strong rule set it is still dangerous to install or allow your clients to install php nuke and you can not make them patch it or patch it for them each time. I suggest that the webhosting world blacklist any cms from php-nuke.org and only allow patched versions or secure forks such as Nuke evolution and Raven nuke to be installed.
Phpnuke.org obviously does not care about the safety and quality of their products releasing them knowing that they can easily be hacked. They should be blacklisted from every scripts installer or security conscious admin
What sort of places can you SQL Inject? Just curious because I've tried it on a few sites and havn't gotten anything special.
I agree with you though, security is my main focus when designing a cms for someone. Thing is though, couldn't most SQL injects be stopped with a few simple commands, or is there something more deep to it?
Well I did have a list ready of all the popular exploits, all are public. But I figured the mods might not like that so I can just advise you to check at waraxe.us and milw0rm.com.
Install a virgin nuke from fantastico or straight from php nuke.org and try those exploits and you will be amazed at how easy it is to hack.
gotroot.coms rules help some but I have been able to get by them on my own server. I suppose if you are gonna use it no matter what try nuke-evolution or raven nuke. I use nuke evolution for my security site and it has held strong for over a year now with lots of kiddies trying everyday. They dont come back when the do though cause I have all hack attemots forwarded to a buffer overflow page.
Yes nuke can be secured with patch from nukeresources.com and nukesentinel from nukescripts.net. Even the patches will suffice but not with the 7.8 unless chatserv released a patch.