23.4.2. Security measures

Staying current on security fixes is only part of the story. The other part is a conservatively configured system. Regarding security, you cannot be overly conservative, so consider taking the following general security measures:

• Apply any security fixes available for your PHP-Nuke version (see Section 23.4.1).

• Do not allow HTML in the news, forums, private messages or any other areas of PHP-Nuke. Use BBcode instead.

• Do not allow uploading of images (e.g. for a gallery), avatars (e.g. for a forum) or mail attachments, in any module, be it a forum, gallery, mail or whatever.

• As long as the mailattach.php file is on the server, even if the module is not active, you can get hacked. Currently, the best fix is to delete the file (see mailattach). analyze.php (see Section 3.9.1.3) will issue a waring, if it finds the file in your installation (see Figure 23-3).

• Delete the nuke.sql file from your web server, as soon as you finished installation and everything is working correctly. First, you will not need it any more and second, if someone takes control of your site, he could have the nice idea to rerun the nuke.sql file on your database, thus bringing it to its original, pristine state (see Hacked - now what? for a real story).

• You should also change your site key. The best time to do this is during installation, while entering all the other parameters in config.php. analyze.php will issue a warning, if it finds the default site key in your config.php (see Figure 23-2). A site key is an important but often overlooked security feature of PHP-Nuke. It is used in generating security codes for authentication and resource access (e.g. downloads) purposes (see PHP-Nuke Security GFX Mapping - Potential Risk for details on how this is done). Each installation of PHP-Nuke system requires choosing a unique site key.

  You can use the Electric Dice for this purpose. ElectricDice generates true random site keys that can be easily pasted into the config.php file. As opposed to pseudo random numbers generated by computers, Electric Dice uses numbers generated from atmospheric noise in radio waves - a proven entropy source. ElectricDice is useful for both first time installation as well as updating your existing site key.

To reduce the risk of SQL injection (see Section 23.3.2) and cross-site scripting (see Section 23.3.1), you can do the following:

• Set "magic_quotes" to ON in php.ini. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically, see PHP Options and Information.

• Set "register_globals" to OFF in php.ini. When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from html forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier (see Using Register Globals).

• Follow a well-thought user rights concept. Do not give users more rights to the database than it is absolutely necessary.

PHP-Nuke now works with register_globals set to OFF!

Contrary to the older 5.x versions that needed some extra script for this, newer versions (starting 6.0) of PHP-Nuke will work with register_globals set to OFF in the php.ini! Thus, there is no need to renounce this security measure, as far as PHP-Nuke is concerned. The reason is the following code that is now included in the start of mainfile.php: if (!ini_get("register_globals")) { import_request_variables('GPC'); } Since every module includes mainfile.php, it also includes the above code, and will thus work with register_globals OFF. If, for some unusual reason, your module does not include mainfile.php, just add the above lines of code to make it work with register_globals OFF.

To avoid path disclosure (see Section 23.3.3), you can:

• Set "display_errors" to off in php.ini or

  php_flag display_errors off

  in .htaccess (see Section 25.4) or in an http configuration file.

• Use PHP's error handling functions to disable error reporting or alter the handling (to email an admin for example, and display a less explicit error).

	Security Tip (from the PHP-Nuke INSTALL file)
	It's a good choice to put your config.php file outside the Web Server path, then you can create a new config.php with the line: <?php include("../config.php"); ?>

Some of the above measures may make PHP-Nuke less attractive to you, or your visitors, who would very much like, for example, to be able to write in HTML, upload images at will, or attach nice files to their mails. It is up to you to weigh the risks and the merits of allowing or disabling a functionality. A small, amateur site may take a different approach than a big, professional one.

And remember that the most secure website is one that is offline.