No piece of software is free from security related bugs. PHP-Nuke is no exception to this rule. Due to its open source nature, everyone can search the source code
for security holes. This is done by professionals and amateurs alike. When a security hole is found (i.e. a bug in the code that has the potential to enable unauthorized access and/or execution of
code, leading to a compromise of the system's integrity or function), a bug fix will appear that closes it. It is of utmost importance to the integrity of your data to follow the developement in this
area and apply those "security fixes" as soon as they become available.
If you run a fresh version of the analyze.php script (see Section 3.9.1.3), it will not only test your database connection and report errors, it will
also warn you of any vulnerabilities regarding your PHP version (see Figure 23-1).
 |
Run a fresh analyze.php regularly |
|
analyze.php will also test other components of your system, such as MySQL, various modules etc. for known vulnerabilities, so you should run a fresh copy at regular intervalls (an old copy will
not report new vulnerabilities, of course!). But it is also important that you do not rely completely on one script. There is no way around subscribing to the security mailing lists, if you want to
stay current on developments in the software security field.
|
You should register yourself to well-known security advisories, like those from secunia, securityfocus, CERT, http://neworder.box.sk or linuxsecurity and filter those that are relevant to PHP and PHP-Nuke (unless you plan to read emails all
day!).
Upon reading about a new vulnerability for PHP-Nuke, you should reach the pages of
looking for available security fixes to apply. For example, nukeresources collects all (security or not) fixes to the 6.x version of
PHP-Nuke under Downloads Category: PHPNuke 6.x / Fixes.
If a new PHP vulnerability has been discovered, then the first place to run to, is php.net.