Apocalyptic infection purged from PHP-Nuke.org

The official website for content management system PHP-Nuke was purged of a nasty infection on Tuesday that for four days attempted to install malware on visitors' machines. The website, which used an out-of-date version of PHP, was compromised as long ago as Friday, according to reports from Websense and Panda Labs. The …

This topic is closed for new posts.

Posted Tuesday 11th May 2010 20:51 GMT

Crazy Operations Guy

Whatever happened to plain old HTML?

Why is it that every site nowadays is nothing but java script, Flash, PHP and a whole lot of other useless crap?

I know I sound crazy, but I miss the days when the internet was just text and animated GIFs. At least we didn't have so many exploits and it only took a few seconds to download a single page. The annoying part is that it takes the same amount of time to download pages now, despite internet connections increasing 100 fold since then.

Posted Tuesday 11th May 2010 22:47 GMT

Chris Dickens

PHP

PHP is just a means of serving the content - a layer on top of the server. The problem is not keeping up to date with fixes/patches - if you don't do that any software on the server is just as vulnerable. Of course, it does have a very low barrier to entry so you get some very amateur developers writing easily compromised software. But, on the whole, it's a good thing.

On the other hand, I agree with the rest of what you said - the improvements in speed do just seem to be a way to push more crap down the line. Hence I use No-Script and FlashBlock - if the site doesn't work without JS or Flash (and doesn't need them - ie. a game) then I'll just find another. Wish more people would - perhaps it'd reduce the "need" for the crap.

Posted Wednesday 12th May 2010 08:57 GMT

bothwell

yeah mang

We should all just email our comments to the Reg and then somebody can copy and paste them into HTML files for us.

Posted Tuesday 11th May 2010 23:34 GMT

Craig Foster

What the......?

Microsoft *and* Symantec are faster at picking this up than others like Sunbelt?

Jokes about Symantec picking everything up as a virus aside, this does surprise me a lot.

I'm honestly interested in which AV vendors are combating 0-day stuff like this best...

Of course having a tied-down account and Firefox with no-script helps.

Posted Tuesday 11th May 2010 23:34 GMT

BlueGreen

@Chris Dickens: likely a dim question

Perhaps you can help me out. I know nothing about CMSs as I do backend stuff but I'd like to know the relationship between CMSs and scripting (because I'm completely with Crazy Operations Guy). Do all CMSs require client scripting, do only some, is optional with every CMS or is it irrelevant, in that scripting is just another text file that it will blindly serve up like any other. Or is it template driven such that you can eliminate scripting by choosing the right template, or what.

I might have to pick a CMS at some point to experiment with and I don't want any scripting if possibly avoidable. It'd be nice to start from the right place IYSWIM.

I realise this is a wider question that just php. Sorry if this is a bit tangential.

Posted Wednesday 12th May 2010 13:01 GMT

CD001

Seriously?

A CMS, in a nutshell, is a bunch of HTML forms (it could be XForms in theory but I've never seen one that is), wrapped up in an RBAC layer, that allows site data to be updated through those simple forms... that's it. Those are the only common features - there are SO many CMS systems written for the LAMP stack, practically everything else is optional.

The point is that your CMS should be a controlled environment that's not available for anyone other than approved users to access. Since your users are unlikely to be coders (think the marketing department) your CMS will be pretty useless WITHOUT client side scripts - you ARE going to need a WYSIWYG interface to create the HTML (TinyMCE, CKEditor ... etc).

However, so long as your RBAC system cannot be easily circumvented (which is the tricky bit) though use of URI manipulation, CSRF, XSS, SQL injection and the like, the risk from using a CMS is fairly low whilst the benefits are enormous (e.g. you build/integrate the CMS and then the marketing team do the work of keeping the site/products up to date whilst you drink tea and eat biscuits... erm, I mean, work on TNBT).

Posted Thursday 13th May 2010 19:26 GMT

BlueGreen

Yes seriously

and that was appreciated.

Posted Wednesday 12th May 2010 09:40 GMT

Nebulo

PHP-Nuke

A most appropriate name, under the circs.

Posted Wednesday 12th May 2010 21:53 GMT

Blitheringeejit

Manage what content?

Whether a CMS requires significant clientside scripting really depends on what type of content it's trying to manage. CD001 is largely right, but you only need a WYSYWYG interface like TinyMCE if you want to manage rich content. If you can manage with just plain text, a plain textarea will do fine - and the same principle applies to most other stuff which users upload.

But I suspect the majority of clientside script runtime these days is soaked up with all the ****ing googlemonster tracking and 'anal-ytics' bollocks, which doesn't improve the user's experience one jot, but which webmasters seem to think is essential to sell advertising, sorry I meant to propagate their web2.0orrhea around the multiverse in the vain assumption that anyone gives a sh*t.

Real social networks are, as any fule kno, called "the pub". See you there.

Posted Monday 17th May 2010 15:46 GMT

BlueGreen