UTF-8 CuteNews: Security
A short guide to making your experience with CuteNews safer
Introduction
With UTF-8 CuteNews, a step toward a more secure Content Management System is made, but it is also up to you to take steps in order to minimize hacking attacks.Choosing your Password
Because CuteNews uses a poor password encryption method (simple MD5 hashing), it is very important that you use a strong password. A hacker gaining access to the user database will not be able to see passwords directly, however he will be able to crack simple passwords easily.Therefore, it is important that you use numbers and both lower-case and upper-case letters in your password. A password like "leonie15" can be cracked easily, whereas "Le0n1E15x" is already better to mitigate rainbow table lookups. It is also important that you stress your fellow administrators and users to choose strong passwords.
Additionally, only use your CuteNews password for CuteNews - use a different one for your e-mail account, FTP account, etc. It doesn't have to differ entirely, even for example "Le0n1E15x" and "Le0n1E27F" are safe enough for most users. Obviously, do not share your password with anyone else and if you suspect that someone has been using your account, change your password.
Security through Obscurity
Hiding the direct path to the CuteNews administration panel is not an easy task! If error messages aren't suppressed, it is actually impossible to hide the path to the administration area in CuteNews 1.4.6 (or earlier); this is fixed in UTF-8 CuteNews.Here's how you'll give hackers a tough time to even find the administration panel of your CuteNews installation:
- Rename index.php: Rename index.php to something else, e.g. "CuteN_Admin.php" (something not too obvious). Be sure you change the
value of $PHP_SELF in index.php to the new name of index.php. Open index.php (respectively its new name) and find the following code:
$PHP_SELF = 'index.php';
... and replace index.php with the new file name. - CuteNews folder: Hiding the direct path to the CuteNews directory is very hard, as the script uses it to upload images and store its smilies therein. It is possible to hide the path to the administration area by creating a new folder and changing a few lines of code, but renaming the index.php file (and having a reasonably low number in the login ban setting) should be alright as it is.
Questions
Is CuteNews safe?UTF-8 CuteNews is reasonably safe. Administrators no longer can execute PHP code, desynchronize your database; nor does it allow users to register user names which already exist (in different lower-case and upper-case). The real problem with CuteNews is that due to its popularity and lack of official support, known flaws spread quickly and aren't fixed adequately.
The goal of UTF-8 CuteNews, in the aspect of security, is to make your CuteNews experience safer and to educate users on how they can stay safe from hackers. Although CuteNews 1.4.6 is more or less safe on the outside – apart from its vulnerability to brute force attacks -, the administration panel is full of holes.
Should I take measures to hide the folder name in which CuteNews is?
You should be safe enough if you have the Login Ban function set to a reasonable number. Simply renaming index.php to something else – as explained above – already is a very good security measure.