Post nuke is based on PHPNuke. I would assume that the holes in many of the scripts are still present. They make no mention of security enhancements on their page or in their FAQ. Like I said before, PHPNuke is a really great concept, but has very poor security. PostNuke looks even better in terms of where the project is headed, but still wants you to chmod 777 all sorts of files on your box to use all of the features, and still uses much of the code from PHPNuke. What these projects need is a serious security audit of every line of code. Most of the problems arise from being able to pass arguments to the scripts that will run system binaries as the apache user. This is bad enough, but it's sometimes very simple to use this to exploit a local root exploit and gain root access fairly easily. Has anyone noticed how slow PHPNuke is also? I was talking to someone who was thinking about running it, and he said it makes a ton of db calls for every page served. Something which was poorly thought out from a performance standpoint. Jay -----Original Message----- From: Jim Herrick [mailto:jim at herrick.net] Sent: Saturday, October 06, 2001 3:17 PM To: tclug-list at mn-linux.org Subject: RE: [TCLUG] Php nuke -- probably more swiss-cheese than early versions of sen dmail or sun's rpc I've used both of these and can recommend them. Post Nuke: http://sourceforge.net/projects/post-nuke/ phpWebSite: http://sourceforge.net/projects/phpwebsite/ Jim > From: "Carlos Sabo -Real Time email" <carlos at real-time.com> > Subject: RE: [TCLUG] Php nuke -- probably more swiss-cheese than early versions of sen dmail or sun's rpc > > > From: Austad, Jay > > > > If you're thinking about running PHP-nuke, don't. Just search the bugtraq > > archives at securityfocus.com to see why. Sad. > > What alternatives are there to it? _______________________________________________ Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.mn-linux.org/mailman/listinfo/tclug-list