Talk:PHP-Nuke

(Previous talk page deleted, see history) JamesHoadley 10:26, 8 November 2005 (UTC)

Tiny MCE introduces security holes?
This is news to me. Firstly, PHP-Nuke non-patched has holes that a truck could drive through. Secondly, what about Chatserve's patch series? I've got it, and used it up to 7.6, and it seems to close all SQL injection holes. Does TinyMCE introduce new issues, like XSS? JamesHoadley 10:29, 8 November 2005 (UTC)


 * Take a look at this article and you'll understand why. Put it simply, with introduction of TinyMCE, input content will not be filtered at all. Think about inserting javascript into content and have it pass through in vanilla form... 221.127.100.196 09:37, 22 February 2007 (UTC)

Hitwalker
This has been going on for sometime. I would like to know if anyone thinks hitwalker is a notable site for the PHP-Nuke community. It has been added and removed many times. If you don't think it should be listed please say why. -- murder1 04:43, 8 December 2005 (UTC)
 * In my opinion it's pointless to have two PHP-Nuke resource sites that are almost identical with what files they offer. PHPNukeFile is a more reputable source, well respected by the community, and has been around longer.  Also, I would like to point out WP:NOT. — stephen 17:06, 8 December 2005 (UTC)

As i was pointed to this old article i would like to explain a few things.Phpnukefiles doesnt excist longer then Phpnuke database.Also the Phpnukefiles website is not well maintained and not uptodate.So in my believes you should not publish or write about something you dont know much off,and specially if its done by a 16 year old,that doesnt realy qualify as having the proper knowledge.At Phpnuke database quality is more important the quantity.

Easynuke.org
I was wondering, would it be beneficial to have a link to a free PHP-Nuke site? PHP-Nuke was released as a multi-version recently, and hence my business partner decided to take it up, adding to his free phpbb and invision forum host. Although it is not released yet, it is ready, and the website is: easynuke.org I posted this here now, incase anybody had any problems with me editing the main page when easynuke is actually released. It would be beneficial for those seeking a free, easily set up (litirally a few clicks, no messing with servers) PHP-Nuke setup. PAz 13:48, 23 December 2005 (UTC) Alex


 * easynuke.org is currently unregistered and available. Can we delete the above? Wlindley (talk) 03:27, 10 March 2010 (UTC)

Lack of security
Hey, I'd like to know more about the supposed lack of security in PHPNuke.

The article currently claims "Because PHP-Nuke is so widely known, it is a frequently attacked target of those looking for security flaws." Umm, rubbish, this argument has been refuted many times in case of many other programs. For example, Windows isn't insecure because a lot of people use it and thus hack it, it's because it's not designed with security in mind at all. And that's exactly what I heard about PHPNuke: Sloppy coding practices and no security consciousness among the developers.
 * Sloppy coding is highly subjective. No security consciousness is speculative at best. And Windows has been coded with security in mind since NT - check out Microsoft Windows.  And despite what you think, people do target visible softwares simply because they are visible.  It's the same reason the September 11th hijackers attacked the World Trade Center and not the lone Exxon Mobile gas station in Any Town, USA. 216.40.225.203 09:26, 28 June 2006 (UTC)

Yet, even when that particular sentence has to go, I can't go claiming the abovementioned things in the article right off without sources - just hearsay and lots of people saying "PHPNuke sucks". Does anyone know any real published researched critique of PHP-Nuke? I think it's pretty easy to find security advisories and stuff like that though. --wwwwolf (barks/growls) 14:41, 17 January 2006 (UTC)

Looks like someone removed this: 18:20, 17 January 2006 Drmike (→Lack of security - Removed Trolling) Let's ignore that. My intention was not to troll or anything - I'm looking for constructive, sourced criticism of the project whose security and efficiency has been doubted a lot. PHP-Nuke has faced some severe allegiations along these lines. I just think these facts are not covered to necessary extent in the article. --wwwwolf (barks/growls) 10:23, 18 January 2006 (UTC)
 * Microsoft Windows discusses the security issues in a chronological fashion. This helps to distinguish between issues that, today, merit concern, and issues that are little more than historical footnotes.  This article, in contrast, just blurrs them all together.  And doesn't provide any citations what-so-ever.  Also, look at Avoid_weasel_words.


 * I added some citations. I think the weasel-ish sentence at the begining of the Lack of security and criticism section is factual, however I can't provide good citations - most are forum postings. I have had a server compromised via Nuke, have patched many a system and today just admonish clients for using it and refuse to work with them unless they find another CMS. I actually keep it on a server with a locked database to learn how not to code PHP by analyzing the log files for exploits. I was tempted to remove the weasel tag completely, but think that the sentence can be simply re-structured somehow by someone with more lingual skill than I. I almost cited it with this Google search. Finding a proper citation for something that has become common knowledge in a field is harder than I thought. badmonkey 02:44, 16 July 2006 (UTC)


 * 89,500,000 hits for avoid google, 34,300,000 hits for avoid wikipedia, and 532,000 for php-nuke? maybe google and mediawiki should take a deep look at php-nuke's source code to figure out what they do to get so few hits.


 * also, if you can't find proper citations then maybe you simply aren't familiar enough with the issues surrounding php-nuke to make useful contributions. lots of people think that israel's overly aggressive expansionist policies are wrong, but you don't see the article on israel saying "israel has been criticized in the past for it's confrontationalism" do you?  and if it doesn't belong there, then why do you think it should belong here?


 * finally, no one cares about your own personal experiences. personal experiences aren't citable and they shouldn't be brought up, here.  if you think otherwise, then consider that i've never been hacked by php-nuke and the only people i've ever seen that have been were people who just didn't know how to upgrade.  if you think that php-nuke is the only cms that has upgrades to fix security issues, you're wrong.  look at joomla!.  every release this year has fixed security vulnerabilities.  so what do you think is going to happen if you don't do one of those upgrades?  you're going to get hacked.  just as you'll get hacked if you don't update php-nuke. 216.32.81.2 02:12, 30 July 2006 (UTC)


 * the joomla changelogs, for your perusal: http://www.joomla.org/content/category/5/34/78/ 216.32.81.2 02:23, 30 July 2006 (UTC)

I'm actually concerned myself. I've been thinking about using PHP-Nuke for something, but I'm not sure. The article here is very vague and to be perfectly honest, it's not very convincing about security vulnerabilities. The citations list vulnerabilities for 7.x and 8.x. There's considerably fewer in 8.x than in 7.x, so I'd say that "and nearly all of them are left unpatched by the author." is subjective since as 8.x's vulnerabilities are completely unpatched as listed on the citation, it has a fraction of the vulnerabilities listed for 7.x. It seems 8.x actually patched a LOT of issues. The issues on 8.x appear to be mostly that 8.x isn't properly sanitizing the data posted by users. Those should be fairly easy to fix and judging on the time they were posted, there's PROBABLY third party fixes for all four of them. More citations, and even rewriting the concerns to be list the chronology of the concerns wouldn't be a bad idea. 24.254.163.150 (talk) 02:39, 2 May 2008 (UTC)

I don't know whether PHP Nuke is still problematic but I ran it in early 2004 with a phpBB installation and my site got vandalized via a PHP Nuke exploit in just two days. I uninstalled and was fine after that. Never ran PHP Nuke again. It remains one of the few applications I'll never touch again. -Rolypolyman (talk) 15:15, 29 May 2008 (UTC)

Dead link
http://www.hitwalker.nl recently changed to Phpnuke Database- Phpnuke Database, as in http://www.phpnuke-database.com The hitwalker sites are available for the whole world to see, visitors who get 403 forbidden are with their ip in a spam or hacking ip range that has been blocked. --Hitwalker 14:18, 25 March 2007 (UTC)

maru  (talk)  contribs 04:28, 27 July 2006 (UTC)

History
This article should have a history section. Personally, I came to find what it was first created.

Fair use rationale for Image:PHPNukeWebsite.gif
Image:PHPNukeWebsite.gif is being used on this article. I notice the image page specifies that the image is being used under fair use but there is no explanation or rationale as to why its use in this Wikipedia article constitutes fair use. In addition to the boilerplate fair use template, you must also write out on the image description page a specific explanation or rationale for why using this image in each article is consistent with fair use.

Please go to the image description page and edit it to include a fair use rationale. Using one of the templates at Fair use rationale guideline is an easy way to insure that your image is in compliance with Wikipedia policy, but remember that you must complete the template. Do not simply insert a blank template on an image page.

If there is other other fair use media, consider checking that you have specified the fair use rationale on the other images used on this page. Note that any fair use images uploaded after 4 May, 2006, and lacking such an explanation will be deleted one week after they have been uploaded, as described on criteria for speedy deletion. If you have any questions please ask them at the Media copyright questions page. Thank you.BetacommandBot 05:14, 6 June 2007 (UTC)

External link discussion
Whats the point in adding any info here or joining this whatever discussion if its all deleted again. The whole phpnuke article at wik in this phpnuke talk page which i didipedia is becoming one big joke as its content is constantly censored.(owner of phpnuke-database.com 10:22, 26 June 2007 (UTC)) —Preceding unsigned comment added by Hitwalker (talk • contribs)

I would like to know (as this is a discussion page) that when i added the download resource Phpnuke Database why it was considdered to be spam or whatever.How can that be spam as im a respected source and known person?.May i remind any reader that adding that resource site isn't against any wikipedia guidelines as wikipedia knows many pages with external links to respected resources dealing on the subject of that page.Its also not a matter of linking,and we know about the nofollow rule,all that is known and not important. Fact is,if you present a page talking about phpnuke it seems obvious you also include some good resources (also a common thing in wp).Long ago when my resource was added an editor here suggested i would do any recommendations in the phpnuke talkpage which i did.As we know by now i received absolutely no reply.So after that i added my resource again and to my surprise it was left alone for a long time.But that came to an end when the ext links were edited again and yes i edited it again,over and over.I always noticed the messages and it wasnt that i didn't wanted to reply to it,but merely cause i knew what was in it.So i still would like to see the resource added to the external links.--owner of phpnuke-database.com 18:48, 2 July 2007 (UTC) —Preceding unsigned comment added by Hitwalker (talk • contribs)

regards, Nachoman-au 12:26, 3 July 2007 (UTC)
 * You are the owner of the website in question which is against guidelines (see WP:COI)
 * The website is not notable, it adds nothing to the article, it is being promoted by yourself (see External_links)
 * Your contributions to the encyclopedia have consisted of nothing more than you trying to promote your website
 * You have ignored warnings on your talk page
 * You have continued adding links after your blocks have expired
 * You are suspected of using anon accounts to make identical edits
 * You have left threatening comments in the article space with your changes
 * Numerous editors have reverted your external link additions.


 * Ok let me see if i have this correct...,so if its my site it automatically is a COI ?
 * And.."it adds nothing to the article"..?
 * Is a resource site for phpnuke modules,blocks etc..not valuable as information ?
 * And although you dont agree but how do i know if there's a warning if i never actualy saw the messages ?
 * And aren't you going a bit out of line by accusing me of using anon accounts to make identical edits?
 * I would like you to prove that.--owner of phpnuke-database.com —The preceding unsigned comment was added by Hitwalker (talk • contribs).


 * (Remember to sign posts with ~ ) Inserting links to your own site is automatically a conflict of interest. See the external links guideline. It is perfectly acceptable to suggest on an article talk page that your link be considered for inclusion and then let a neutral editor decide if there is consensus for placing it in the article. You have received at last five alerts about the link insertion on your talk page; that should be sufficient be sufficient warning. ✤ JonHarder talk 02:01, 4 July 2007 (UTC)


 * Unsurprisingly, this site is already a squatter's doorway. According to AboutUs record, the author has abandoned the site in January 2008 — less than a half-year after this discussion — because he didn't “feel motivated anymore to keep the site up”. So, the discussion was merely nothing more than much ado about nothing. :-) 217.172.21.161 (talk) 10:58, 27 November 2010 (UTC)

License
the article lists this as GPL. the infobox lists it as proprietary. which is it? --Black Butterfly 15:01, 20 September 2007 (UTC)

Black Butterfly, I see your point. Despite them charging for it, PHP-nuke is still Free software (as in freedom). Therefore, it should probably say GPL. I will change it tommorow (if I remember :P) FSHero 20:35, 28 September 2007 (UTC)


 * As well, of course, the copyright owner can at ANY POINT start producing new versions under non-GPL copyright license. Newer versions may very well be "proprietary" i.e. not released under the GPL copyright license. =//= Johnny Squeaky (talk) 04:21, 9 October 2011 (UTC)

Merge_proposal
I propose merging Nukesentinel here. The stub on its own lacks notability Nearly Human 11:19, 30 September 2007 (UTC)

Lack of Security (revisited)
While I'm cool with narrowing down the security bashing now that phpNuke is more stable, I think the current incarnation is a bit ambiguous. Currently it reads:

"'PHP-Nuke has in the past been plagued by security holes. However, no security flaws have been reported in the last year.'"

That's it.

Let's expand this some. What notable security holes in the past? "no security flaws" is a very big statement for any piece of software. Anyone got a source for that or an appropriate time frame other than "last year"?

In light of my previous participation in the security controversy of phpNuke, my only edit is to ask for facts. I'd really like to see this article cleaned up. Even though my view of the software's security may be negative (from several experiences), I still see it as a slightly seminal step toward today's internet. Compare it's use several years ago to the penetration of WordPress among novices today. It also helped the penetration of PHP itself among novices in a small way. (Badmonkey skulks away ducking incoming flames for that WordPress remark :P) badmonkey (talk) 04:22, 18 December 2007 (UTC)

Unfortunately, that statement is no longer true: http://secunia.com/advisories/28624. —Preceding unsigned comment added by 12.10.223.130 (talk) 01:26, 14 February 2008 (UTC)

downloads.phpnuke.org
There is a hidden subdomain on the PHP-Nuke site — downloads.phpnuke.org — which is not the same as Downloads section of the main site. I found it through a suspicious spam letter, which used an intermediate link obfuscation and redirection facility.

The mentioned subdomain invites to download popular games, claiming that there is no “trick” nor piracy, — those games are either demo versions, or shareware, or freeware. It also claims that those downloads are 100 % virus- and spyware-free. But, in fact, all downloadable “installers” are essentially the same 3-megabyte archive, containing nothing more than a browser toolbar add-on.

At first, I thought that it's a kind of web-server hijacking that the legitimate site owners are unaware of. But MyWOT comments on the same issue are dated as early as January 2009, so I doubt that the existence of malicious site is an outsider's job and couldn't be connected with PHP-Nuke authors.

I think, it should be noted in the article, that, although PHP-Nuke itself is a well-known software, “donwloads” subdomain simply exploits the long-time gained trust to spread malware by deception. Unfortunately, I myself am not connected with PHP-Nuke community, nor am aware of the details of this story — to be able to describe it correctly. 217.172.21.161 (talk) 10:48, 27 November 2010 (UTC)
 * You're quite right, there are some SHADY downloads there, but there isn't much Wikipedia can do about that... =//= Johnny Squeaky (talk) 04:10, 9 October 2011 (UTC)


 * Now it's official: the *downloads* subdomain is actively promoted on the main site:
 * in the header menu,
 * in the top banner block,
 * in the left-side menu,
 * in the right-side listing,
 * and even inside most entries of the main contents block.
 * Although there is still “PHP-Nuke Scripts” section in the left-side menu, it's just a collection of descriptions — as all download links lead to the root page. The only legitimate material listed there is the CMS itself, which received several updates until 2013, but it would not be surprising if it contains some malevolent additions, since one of the most active contributors to Git repository is named “Bibado Investments S.L.” — the name of company producing a generic installer for rogue software. So, basically, the official site has finally turned into a trashcan. Perhaps, it's now controlled by another person, hiding behind notorious GoDaddy and Domains-by-Proxy. Is there any reason for Wikipedia to promote such a site? 81.88.210.197 (talk) 09:52, 29 November 2014 (UTC)


 * Very shady. Note that the site Privacy Policy mentions "Bibado Investments S.L." which is also now the name of the Bitbucket account which hosts the source. Bibado Investments S.L. is considered an unwanted software publisher by HerdProtect here. 144.62.220.200 (talk) 23:44, 4 February 2016 (UTC)