You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 405 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Security problem
Securitytour93 writes "Hello everybody and Happy Holidays,
With all this hacking going on, I was just curious to know if somebody at Nukecops.com is looking at all the blocks and modules that are submitted to you. Because if somebody with a malicious mind can create a module, that a lot of people are going to download, with a back door to acces the site admin. Is it possible?
Just a thought.
Alain

Admin Note: As per our AUP we do not check files that are not released by Nuke Cops. Even folks who use our uploads section to distribute their own work is not checked by Nuke Cops. So, let the buyer beware... Perhaps we could come up with a certification process?"
Posted on Monday, December 22 @ 15:13:57 CET by Zhen-Xjell
 
Related Links
· Computer Cops
· More about Security
· News by Zhen-Xjell


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 2.6
Votes: 5


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Security problem (Score: 1)
by scandicdiscopub on Monday, December 22 @ 15:33:56 CET
(User Info | Send a Message)
hmm i think we get paranoide here ..just a little bit but the certificate process seems a cool idea.
Also then were sure with a fresh look to find any bugs errors in trhe modules for example and possible fixit etc.




Re: Security problem (Score: 1)
by allevon on Monday, December 22 @ 21:14:36 CET
(User Info | Send a Message) http://www.AlleVonTech.com
Well I wouldnt blame anyone for being paranoid. Its out of control. These nerds have nothing else to do, so they've upped the attacks and we have to fight them constantly. Its beyond annoying and infuriating. When everyone believes me when I say the internet is now a useless piece of shit, full of over abundant advertising, whiney bored babies and no one of value bothers using it anymore, MAYBE it will make its 3rd comeback. But only after the serious people take serious pro-active action against the Fag sector, instead of lying on their backs "Accepting" what happens as collateral damage.

In response to the cert. Im all in favor of it TO A DEGREE. Why? Because as usual and as free and open as Nuke stuff is, some little fag is going to download the cert copy, find or create an exploit and thus ruin ANOTHER good thing.



Re: Security problem (Score: 1)
by kipuka on Tuesday, December 23 @ 00:24:11 CET
(User Info | Send a Message)
I don't think it's being parnoid or a waste of time to create a group whose mission is to see where code is inefficient, breaks, or is insecure. Either the originator can then fix it or they can. If corrected by the orginator, his programming skills will improve. It will also show if there's a trend in bad design practices which can be used as an educational tool for everyone. The biggest problem is this type of work can be very manpower intensive.



Re: Security problem (Score: 1)
by wesdog on Tuesday, December 23 @ 00:26:23 CET
(User Info | Send a Message) http://www.velvetjones.org
Certificate Idea sounds good to me. There will always be an exploit to anything having to do with 1's and 0's. A better idea would be to have some kind customization to each module upon install that is unique to your site. That way a hack developed for one site would not work on another. Just something that is configurable like a custom key you could input in the code after downloading the module that would be encrypted into the database in order to protect the features of the module/addon from being exploited. I'm not an expert by any means and have no idea how this could be implemented. Its just an idea that popped into my head I'm sure someone has already looked at it anyway. Anything that helps security is good in my book.



Re: Security problem (Score: 1)
by Audioslaved on Tuesday, December 23 @ 01:28:25 CET
(User Info | Send a Message) http://www.audioslaved.com
I think it is always wise for anyone trying to program to learn the security side of things, but I think the shell of the CMS would be better suited to stop something of the sort rather than setting up a group of individuals who regulate how modules get approved, before you know it, the speed would turn into that of submitting to ODP or Google.

Though they are both great, it can take quite awhile for a human editor to get around to looking at your site, and even then, for this situation, someone would have to scour the code, then their would need to be a set of checks and balances, more than one set of eyes, to make sure no one missed anything.

I think though it is a good idea to a degree, but eventually could see it taking weeks at a certain point for modules, blocks, and addons to get "certified", then you have to worry about recruiting people you know are skilled at finding these so called discrepencies.

I think it would be better to have the CMS do most of the work by checking all incoming variables and making sure they do not contain any malicious code, then passing them to the script, similar to the check_vars function idea I had in the security forum. Have the security built into the cms would be the best bet for everyone. What about those who do nuke but do not come to nukecops, or only so in a blue moon, are their downloads not to be used because they are not certified? It is good that we are talking about security, its about time we all are, it has been too long! I think we can all agree something has to be done, until a solid solution is crafted, I guess it is more of a buyer beware type of thing, Bye all

Your GoogleTappin Friend,
Audioslaved



Re: Security problem (Score: 1)
by Vchat20 on Tuesday, December 23 @ 03:24:52 CET
(User Info | Send a Message) http://www.pokeradio.com/
yeah. i agree. a certification system needs to be done. but along side that a kind of "antivirus" deal would be a good idea to implement into nuke so that it will check the code as it is proccessed and if anything malicious shows up, it stops on the spot and logs the issue. now i dont see how that could easily be done or how it could be done in a way so the site doesnt slow to a crawl, but it is a good idea. added as a supplement to the certification idea, its the perfect weapon against the people who have nothing better to do than hack the many nuke communities on the net.


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.128 Seconds - 161 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::