23.4.2. Security measures

Figure 23-2. Site key security warning from analyze.php.

Site key security warning from analyze.php.

Site key security warning from analyze.php.



Staying current on security fixes is only part of the story. The other part is a conservatively configured system. Regarding security, you cannot be overly conservative, so consider taking the following general security measures:

Figure 23-3. WebMail security warning from analyze.php.

WebMail security warning from analyze.php.

WebMail security warning from analyze.php.



To reduce the risk of SQL injection (see Section 23.3.2) and cross-site scripting (see Section 23.3.1), you can do the following:

Note PHP-Nuke now works with register_globals set to OFF!
 

Contrary to the older 5.x versions that needed some extra script for this, newer versions (starting 6.0) of PHP-Nuke will work with register_globals set to OFF in the php.ini! Thus, there is no need to renounce this security measure, as far as PHP-Nuke is concerned. The reason is the following code that is now included in the start of mainfile.php:

if (!ini_get("register_globals")) {
 import_request_variables('GPC');
} 

Since every module includes mainfile.php, it also includes the above code, and will thus work with register_globals OFF. If, for some unusual reason, your module does not include mainfile.php, just add the above lines of code to make it work with register_globals OFF.

To avoid path disclosure (see Section 23.3.3), you can:

Tip Security Tip (from the PHP-Nuke INSTALL file)
 

It's a good choice to put your config.php file outside the Web Server path, then you can create a new config.php with the line:

<?php include("../config.php"); ?> 

Some of the above measures may make PHP-Nuke less attractive to you, or your visitors, who would very much like, for example, to be able to write in HTML, upload modules/PHP-Nuke_HOWTO/images at will, or attach nice files to their mails. It is up to you to weigh the risks and the merits of allowing or disabling a functionality. A small, amateur site may take a different approach than a big, professional one.

And remember that the most secure website is one that is offline. Inline graphic


Help us make a better PHP-Nuke HOWTO!

Want to contribute to this HOWTO? Have a suggestion or a solution to a problem that was not treated here? Post your comments on my PHP-Nuke Forum!

Chris Karakas, Maintainer PHP-Nuke HOWTO