23.1. How secure is PHP-Nuke?

If you run the security audit tool nessus against a host running PHP-Nuke, you will get the following:

The remote host is running a copy of PHP-Nuke.

Given the insecurity history of this package, the Nessus team recommands that you do not use it but use something else instead, as security was clearly not in the mind of the persons who wrote it.

The author of PHP-Nuke (Francisco Burzi) even started to rewrite the program from scratch, given the huge number of vulnerabilities (Clarifications on a possible rewrite of PHP-Nuke).

Solution : De-install this package and use something else

Risk factor : High

Uh? Does this mean we have throw away PHP-Nuke? Why is nessus saying this?

The link given by nessus above, contains Francisco's thoughts on the furure of PHP-Nuke, provoked by a recent series of security holes at that time. How was Francisco thinking to cope with the security issues? In that article regarding Clarifications on a possible rewrite of PHP-Nuke, Franzisco considers the following possibility as the first one that comes to his mind when contemplating on how to proceed:

1) The new code will be closed. This means that script kiddies should get a computer science master or PhD before hacking it. This will reduce the security issues. From time to time, a security test will be made on the code to catch those bugs and fix them.

This is a well-known method of securing your programs - it is called security by obscurity. A system relying on security by obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.

Would you trust such a system to be secure? Would you run a Fortune 500 website on top of it? It is in this light that you have to interpret nessus' warning above. Relying on security by obscurity as a strategy for PHP-Nuke, be it only in a thought experiment, will not persuade the security experts at nessus.org. Because in the cryptography world, the reverse of security by obscurity is believed to be true: Kerckhoffs' principle from the late 1880s, which states that system designers should assume that the entire design of a security system is known to all attackers, with the exception of cryptographic key secrets.

In practice, operators of systems that rely on security by obscurity often keep the fact that their system is broken secret, so as not to destroy confidence in their service or product (see security by obscurity). Examples of such systems are the Windows "operating system" and the IIS web server. According to its creator above, PHP-Nuke may join them in the future. This has not kept large firms from using these products for their web presence, though. It is therefore up to you how you interpret nessus' warning and Francisco's tendency to resort to controversial security principles.

People have commented on Francisco's thoughts in that article, the sleepless nights trying to close the security holes that were afflicting thousands of PHP-Nuke sites were over and, after some sleep and thoughtful weighting of all the factors involved, Francisco published an Update and answer to all your nice comments. In this update, we read that the to do list for PHP-Nuke starts as follows:

1) Release the 6.5 version

2) Start catching security bugs, sql injections holes, etc and fixing it.

3) Recode some parts of the core system to properly check variables against malicious code.

4) Reorganization of some html code

etc.

Unfortunately, reading the above can give one the impression that the release of an intermediate version (priority 1) is more important than catching security bugs and properly checking against malicious code (priorities 2 and 3 respectively), even if this may not be really the case in the author's mind.

In fact, Francisco, does care about security, as he confesses in another article on the History of PHP-Nuke and Post-Nuke:

About security... Many people can think that I don't care about security... I care, a lot. But what I don't do is to publish "exploits" in my site about my software...Paul is the perfect proof of the above affirmation, he's a direct witness of my interest on this matter... is secret yes, but there is interest.

Should nessus' warning prevent you from deploying PHP-Nuke on your site? This is a question that only you can answer. In the Web there are multiple truths that can coexist one besides the other. In Envisioning a Site That Won't Be Featured In suck.com, Philip Greenspun writes about one-truth cultures:

Oral cultures do not share this belief. Knowledge is open-ended. People may hold differing opinions without one person being wrong. There is not necessarily one truth; there may be many truths. Though he didn't grow up in an oral culture, Shakespeare knew this. Watch Troilus and Cressida and its five perspectives on the nature of a woman's love. Try to figure out which perspective Shakespeare thinks is correct.

In deciding how secure PHP-Nuke is for you, you have to find your own truth. Let's have a look at PHP-Nuke's security record, since this is what nessus mentions as a prominent reason not to use it.