PHP Nuke as a Web Platform

Unless your client has any specific reasons for using it I'd say sack it off and use wordpress.

It is odd that your client would be dictating what you use on the technical side of things. A good wordpress theme can do exactly what phpnuke does for a small price.

With iam here. Why the need for php-nuke?

From Wikipedia:

Several security holes have been discovered in PHP-Nuke, including SQL injection via unchecked PHP code.[2][3] PHP-Nuke may have issues with some search engine indexes. PHP-Nuke does not use simple URLs or unique titles for pages..

From its own site:

PHP-Nuke is back with its new version 8.3 absolutely free.
PHP-Nuke 8.3.2 fix some security issues and become compatible with PHP 5.3.

PHP5.3 ?! (Nov 2009 - June 2013)

The site is horrendous to navigate and if it's built upon its own cms, then avoid at all costs. If it's not built on phpnuke, then one has to wonder "why not"?

I'm not a hater, but it seems to have well and truly run out of steam.

PHP-Nuke 8.3.2 fix some security issues and become compatible with PHP 5.3.

By the way, this is not even completely true, most of their filters are based on the ereg functions, which are deprecated since 5.3 and vulnerable to the null byte attack. For example check their validate mail function at this link:

• https://bitbucket.org/phpnuke/phpnuke/src/988b71c099f0e669459e3c3093a535957ec73ed1/html/mainfile.php?at=master#cl-1393

Now this is the test:

<?php

error_reporting(E_ALL ^ E_DEPRECATED);
$email = $_GET['email'];

function validate_mail($email)
{
    if(strlen($email) < 7 || !eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,6}$", $email))
    {
        return 'E-mail error';
    }

    else
    {
        return $email;
    }
}

echo validate_mail($email);

And submit a link like this:

http://localhost/example.php?email=your@email.com

It will print the mail, correctly, but try for example to add a second string, like another mail or a javascript:

# example 1
http://localhost/example.php?email=your@email.tld%00' or email='attacker@mail.tld'

# example 2
http://localhost/example.php?email=your@email.tld%00<script>alert('hello')</script>

If you add the null byte character %00 then: in the first case you can perform a SQL injection, in the second case you can perform an XSS attack. Now, in case of Google Chrome this code does not execute because of their CSP, and if you open the javascript console you will see why:

The XSS Auditor refused to execute a script in '... link ...' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

but the other browsers will still execute the javascript.

More information:

• http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection

The client is more familiar with it and he will be doing the updating himself. I am advising him to just use wordpress but he just won't budge. Is wordpress capable of adding a nice forum similar to that of php-nuke?

Unless your client has any specific reasons for using it I'd say sack it off and use wordpress.

It is odd that your client would be dictating what you use on the technical side of things. A good wordpress theme can do exactly what phpnuke does for a small price.

lgnuke.com fix it for php 5.4 and 5.5

I do understand the familiarity of the client, but it is a backward technology. There is a forum extension for wordpress.

PHP nuke is just like Concrete 5 frozen in PHP 5.3.

If you use Wordpress, you can either create or use readily available bridge for wordpress and phpBB. At least, phpBB is now using symfony2 components.

If the client don't like wordpress, there is drupal with advance forum module. Drupal also uses Symfony2 components. Another lightweight CMS would be Pagekit built using symfony2 components and others.