Post nuke is based on PHPNuke.  I would assume that the holes in many of the
scripts are still present.  They make no mention of security enhancements on
their page or in their FAQ.  

Like I said before, PHPNuke is a really great concept, but has very poor
security.  PostNuke looks even better in terms of where the project is
headed, but still wants you to chmod 777 all sorts of files on your box to
use all of the features, and still uses much of the code from PHPNuke.

What these projects need is a serious security audit of every line of code.
Most of the problems arise from being able to pass arguments to the scripts
that will run system binaries as the apache user.  This is bad enough, but
it's sometimes very simple to use this to exploit a local root exploit and
gain root access fairly easily.

Has anyone noticed how slow PHPNuke is also?  I was talking to someone who
was thinking about running it, and he said it makes a ton of db calls for
every page served.  Something which was poorly thought out from a
performance standpoint.  

Jay

-----Original Message-----
From: Jim Herrick [mailto:jim at herrick.net]
Sent: Saturday, October 06, 2001 3:17 PM
To: tclug-list at mn-linux.org
Subject: RE: [TCLUG] Php nuke -- probably more swiss-cheese than early
versions of sen dmail or sun's rpc


I've used both of these and can recommend them.

Post Nuke:
http://sourceforge.net/projects/post-nuke/

phpWebSite:
http://sourceforge.net/projects/phpwebsite/

Jim

> From: "Carlos Sabo -Real Time email" <carlos at real-time.com>
> Subject: RE: [TCLUG] Php nuke -- probably more swiss-cheese than early
versions of sen dmail or sun's rpc
>
> > From: Austad, Jay
> >
> > If you're thinking about running PHP-nuke, don't.  Just search the
bugtraq
> > archives at securityfocus.com to see why.  Sad.
>
> What alternatives are there to it?


_______________________________________________
Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org
tclug-list at mn-linux.org
https://mailman.mn-linux.org/mailman/listinfo/tclug-list