Paid Advertising
web application security lab

Bastille PHPNuke I Think Not

My favorite application to pick on is PHP nuke, by far. It’s just one of the worst written applications I’ve ever seen. At one point several years back I audited it and found there was a 100 line function in the base php file that was never called by anything, anywhere. It’s just a total pile, and it took forever to get even just a few functions turned on. There’s an interesting article on evolution-security discussing the problems with PHPNuke

But I’ve always like the concept of making Bastille versions of different programs. One of the ones I attempted to harden was but it was one of those projects that went nowhere because of my severe lack of time. But the idea is not a bad one. According to the article there are several hardening scripts you can add to PHP Nuke. It makes me wonder if they aren’t actually great security experts releasing this so they can own a lot of machines.

Which brings up an interesting point. How easy would it be to create an interesting firefox plugin with the soal purpose of creating a backdoor in mind? It’s easy enough to create covert channels or at minimum having a reason to query a remote server once an hour (stock ticker/weather forcast, etc…) to build a centralized command and control structure. I know it’s a tangent, but why not? What’s stopping anyone from doing that? That’s probably 100k machines that you can own in just a few months for practically no work. Hrmmm…

3 Responses to “Bastille PHPNuke I Think Not”

  1. felosi Says:

    Nice article, thanks for mentioning mine. Actually there are some pretty solid patches for nuke. People have always wondered why the hell I use it, well I just like it and its easier to manage content with. I have mod security now so I dont get to use the native nuke sentinel security system much because it blocks it but before I had mod security on my own server I always had patched nuke or nuke evolution with 100s of hack attempts a day and it never got hit. Check this out here too Admin ip block, you can add ranges, subnets or whatever on it. Not too bad, evolution uses md5×5 too which makes for impossible to crack hashes but there is always cookie editors, thats why the ip block is invaluable. Get some time audit it I have audited the shit out of it and am constantly on the dev team about stuff and we got it pretty good so far but you can always miss something

  2. RSnake Says:

    Thanks for writing, felosi! You know, I’m absolutely sure there are ways to fix PHPNuke so that it’s rock solid, but it seems like you are starting with such a flawed initial application it’s almost better to just completely re-write it. At least that’s what happened to me when I was auditing it. I got 4 or 5 functions in and closed down a dozen or so holes and I finally just gave up. Too many holes. It was taking more time to audit it than it would take to just write my own at that point. I never did end up writing my own actually and as a result that project died never again to see the light of day.

    I like mod_security but I never use it anymore. I found a few problems and reported them to Ivan and they are now fixed but that worried me a little. I do too many weird things on this site is the other problem. I am far more likely to block myself doing legitimate things than I am to block anyone else doing illegitimate things, but this site is pretty hardened too (not perfect but not bad). Everyone misses things, so I don’t fault anyone for that, I’m just about starting from a good place and working to get better rather than starting with something inherantly flawed and layering security on top of it. That’s just my take on things.

    Now mind you, I haven’t re-audited PHPNuke since I did my first audit so some of that stuff might be fixed, so take my opinions with a grain of salt.

  3. felosi Says:

    No you have a good opinion, it is a deeply flawed application and even with fixes we are runnning into a lot of problems.. It has basically been recoded to a point. I am trying to convince them to start work on a new cms now as nuke is getting so old and they all look alike.
    What worries me on my server is the joomla sites I have but mod security has protected them so far.
    I have to run that too, I tried directadmin for the first time and it runs apache as apache:apache with pretty high permissions- can use gcc, wget, etc: and you can upload a shell and rise above the folder and upload or write to about anything so have to block all shell strings I can think of.
    It’s a full time job staying as secure as you can for sure.