|
Well i found some intreasting things to read and really wanted to advice people on which version of nuke to use for there clan sites,
Here is a very nice sum up of all the newer version above 7.8 taken from http://1cms.org/modules.php?name=News&file=article&sid=17
| Quote:
|
1CMS Hi Everyone
I wanted to take a moment to talk a little about the current state of affairs with PHP-Nuke and the intentions of what is now becoming "many" of us in the PHP-Nuke development community.
I am addressing this because it is important for everyone in the community of PHP-Nuke Webmasters to realize some of the facts about what is going on with PHP-Nuke, where it has been and where it seems to be going.
In the latter regard, I can only assure everyone that the biggest obstacle to PHP-Nuke evolution is the self-proclaimed "Author", Mr. Burzi. I say this only because with each new version of PHP-Nuke that is released, Mr. Burzi fails to apply previous version fixes, while he also creates new bugs and security holes. If you use any version of PHP-Nuke that comes from Mr. Burzi, quite frankly you are at severe risk of intrusion and hacking. There is no easier or nicer way to put it.
In this regard, I want to talk a little about PHP-Nuke 7.9. It should be pointed out right off the bat that PHP-Nuke 7.9 has many very serious issues. In fact, even with "Patched" the issues are so major that it staggers the imagination to contemplate just how bad they are.
In this latest release, the Nuke author has attempted to employ new filtering processes in an effort to deal with the many gaping security holes left in Nuke after version 7.6 with the implementation of the TinyMCE HTML Editor.
Unfortunately, Mr. Burzi's efforts once again were hap-hazard at best and actually create more problems than they seek to fix. Additionally, even after three versions of Nuke, Mr. Burzi still has failed to properly integrate the TinyMCE HTML Editor and rumor has it that affective version 8.0, the editor functions will be removed. Additionally, Mr. Burzi proposes to once again completely change the administration functions of PHP-Nuke making all legacy modules incompatible and requiring recoding.
Let me cut to the chase. First, don't use PHP-Nuke 7.7 through 7.9 under any circumstances! There are simply far too many problems and this code is basically a giant mess that should be completely ignored. "1CMS" uses PHP-Nuke Version 7.8 as a baseline; however, you need to keep in mind for all intensive purposes what I have here is NOT PHP-Nuke, it is something completely different as every single baseline file has been recoded. Yes, it is PHP-Nuke compatible, but that is about as far as the relationship goes.
Unfortunately, with PHP-Nuke 7.9 things get even worse then previous versions. Much like versions 7.7 and 7.8, there are severe new problems created by Mr. Burzi's, "I know best and I am going it alone" approach to coding and distribution. As he fails to even attempt minimal testing of his code, it should be obvious to everyone that this is dangerous stuff which should be avoided like small pox.
This "I know best" attitude has finally taken a toll on some of the better known and dedicated nuke developers including Bob Marion, the widely respected developer of the Nuke Scripts Network (NSN) solutions. Bob recently announced that he will no longer be supporting future versions of PHP-Nuke because of Mr. Burzi's methodologies for releasing new versions and the total disregard in addressing serious security issues. You can read Bob's comments at: http://www.nukescripts.net/index.php?op=NEArticle&sid=2206.
I find myself totally agreeing with Bob's perspectives with the one exception that I refuse to support Version 7.9 because of the major new flaws.
In my extensive testing of PHP-Nuke 7.9, I have discovered many new problems that make using it simply impossible, even with "Patched" loaded. In fact, I was hoping to adapt some of the new security filtering models and functions into "1CMS" but I have since abandoned that idea as the methodologies are deeply flawed. They fail to take into consideration the many different types of input variables that exist in Nuke and try to assign "all inclusive" type assumptions. This is simply no solution at all and testing has revealed that the current solution is indeed susceptible to XSS, JavaScript and other forms of attack if you know how and where to format the query.
Regarding Mr. Burzi's intentions for the future, again I agree with Mr. Marion that because Mr. Burzi "goes it alone" and ignores existing fixes that have implemented for as many as 8 versions back, I cannot endorse or recommend using any version of PHP-Nuke distributed by phpnuke.org or anywhere else for that matter. The code is simply horrible and instead of fixing problems and improving the code, Mr. Burzi just keeps tacking on new bugs and security holes in every new release.
As I have commented before (elsewhere), another major concern that I have is with people like Chatserv, the honorable author of the "Patched" series of updates. In my humble opinion, Chatserv seeks only to help the community by fixing various PHP-Nuke baseline problems. However, by distributing "Patched" for the last three versions of Nuke, I feel that his work only exasperates the fundamental problems while giving webmasters a "false sense of security". Indeed, "Patched" fixes some known bugs, but it does not begin to address any of the serious security, or major nuke structural or overall design flaws.
While I admire and respect Chatserv for attempting to patch some of the holes in these latest versions, as I have said before, the "Patched" solution is comparable to putting a band-aid over a shotgun wound. "Patched" for versions 7.7 through 7.9 may have some benefits; however, it does not begin to address ANY of the major design flaws of these three latest versions of Nuke. Patched does not begin to even address any of the HTML editor or security issues introduced with 7.7 and made only worse in versions 7.8 and even worse yet again in 7.9. Thus, if you have deployed any of these latest versions with "Patched" you should seriously consider downgrading to 7.6 with Patched 3.1 where there exists at least minimal protection from known vulnerabilities.
This leads me back to the beginning. What is best for the community of Nuke Webmasters that don't want to worry about these issues, but rather just want to provide content? In my humble opinion, the best scenario would be one where Nuke was stabilized and secured and evolution moved forward from there. In a nutshell, this is what I strive to accomplish with "1CMS". To lock it down, fix the issues and the functional bugs, to make it fully cross-browser compatible, and finally to make it compliant to W3C presentation standards. I didn't want to re-invent the wheel; however, the huge number of baseline issues made it necessary!
In moving forward with evolution of this solution, I seek to address ALL Nuke issues to make this version not only easy to use and robust, but secure as well. This is why to date; this solution has not been released publicly. Unlike Mr. Burzi, I don't want to release any version that would potentially put anyone at risk. I believe that the code should not be released until it reaches a point where it could be defined as reasonably secure, which is anything but what baseline or even "Patched" PHP-Nuke code is at this point.
This is a philosophy difference that I take very seriously. I firmly believe that it is time that a Nuke based solution not only be robust with features and compatibility with existing add-ons, but that baseline should also be standardized and stabilized to offer both webmasters and add-on developers alike a predictable model, evolution path and a logical, easy to employ and manipulate (customize the look and feel) structure.
I invite you to comment to this article and to talk about anything that you would like to see in Nuke as well as to express your viewpoints or concerns regarding my perspectives.
Steph Benoit, Webmaster
"1CMS" Developer
http://1cms.org
|
Here is another post from bob marrion from NSN regarding the same issue
| Quote:
|
Let me start by saying, PHP-Nuke has had a long run with a steady downhill slant. With each new version the bugs become more and more severe, more and more dangerous. I spend too much of my time over securing scripts to make up for what PHP-Nuke is sorely missing.
Discussions have been started in several places about the future of PHP-Nuke and where it's headed. The majority seem to agree that as long as mr. burzi remains at the helm it is going to continue it's downard sprial. Along the way he will continue to rape the community $10 at a time and never blink an eye.
With this in mind I have decided that NukeScripts(tm) WILL NOT support a version beyond 7.9 unless, and we all know it won't happen, he opens it up to the community and starts including proper fixes, patches, enhancements, and input from those that can fix his dang piece of trash.
Therefore, I will update all NSN scripts to be usable with PHP-Nuke 7.0 thru 7.9 inclusively patched to the latest Patched level only, currently 3.1 (3.1e by my tracking) but not allowing the WYSIWYG to be used. The newest releases here have already been set to that standard in NukeClients(tm), NukePrizes(tm), the upcoming NSN News 2.0.0 (which btw bypasses all nuke security and uses it's own).
I am then going to look into a new fork/cms that starts either with 7.8 or preferablely 7.9 that has proper security and html compliance. The latter meaning I will have to do some studing to bring all of my scripts into complaince as well.
|
So where does this leave the newer releases of nuke.... well personally im not and wont use anything above 7.6... Make sure you do some research before you make your clan site, dont assume that the newest version of nuke is the best and safest !!
You can now get versions of nuke that are security patched and are secure so be very carefull what version u choose, if you would like any advice please ask !
Last edited by Ped on Wed Mar 28, 2007 9:17 pm; edited 2 times in total
|
|
|
38.107.179.217
