New Nuke Security Sentinel: Worth Taking a Chance?
It's important not to skimp on security when setting up a content management system. This article explores an open source, surprisingly secure content management system that works well for both novice and experienced webmasters.
New Nuke Security Sentinel: Worth Taking a Chance? (Page 1 of 4 )
In a recent article about CMS programs, I made quick reference to a need to be security conscious when choosing a Content Management System. Now, I'd like to correct that cursory glance at a subject that really should be of prime importance when making the decision about a system. The original choice can impose opportunity, or limits, on your web's safety and have far reaching effects on your success or failure.
Specifically, I want to explore the security solution found in a program that can be easily manipulated by a novice webmaster, while remaining entirely useful to the more advanced security professional.
A Historical Turd
The previous article also gave away my affinity for the Nuke CMS. Now don't run off just yet. I know that if you are like a large part of the programming community, you think of this program as outdated, full of security holes, and not worth bothering with. Some even claim it's not really a CMS. But take a look at what's new.
The original PHP Nuke CMS, developed in 2001 specifically for novice webmasters, offered core code for the most basic admin functions and controls for building and maintaining a member-based website. To give him credit for honesty, the creator admits that he learned how to code PHP in one week, and then wrote the script for the PHP Nuke CMS in the next three. To give further credit for ingenuity, he created a system that anyone could use to build a web site, leveling the playing field for hundreds of thousands of small concerns who had the desire but not necessarily the money or know how to set up shop on the Internet.
Unfortunately, by nature of the fact that the code is open source, the systems vulnerabilities have been eagerly and aggressively exploited. Malicious intrusions, by an embarrassingly long list of attacks often left unsuspecting web masters as victims of everything from SQL injection attacks to complete take overs, up to and including being locked out of the admin controls. And those were the easy risks, those that the webmaster could see.
Another not so easy to spot form of malicious abuse included gaining access to a domain's email systems. Professional spam rings could then launch campaigns mailing thousands of users each day from the victim's web site's domain address.
The exploitability has not been helped by the fact that the program was extremely successful in reaching its target audience, namely new web administrators with little experience. Such webmasters only learned about the abuse taking place on their sites when their IP address became blocked from major ISPs and they could no longer send or receive mail, or when they began getting hundreds of mail daemon messages on days they had sent nothing out. And, of course, the best proof that a site is being exploited, receiving mail offering watches, Viagra and child sex from their own domain.
Though it's an easy cop out, all of PHP Nuke's problems did not lie solely with the original creation. Hundreds of well intentioned writers, eager to add on their own contribution to the Nuke, began developing modules to do this, and do that, also with little heed to security as an initial concern. Layer all of these problems in with the fact that add-on modules and blocks may or may not be updated regularly, if at all, and it's easy to see how problems developed.