UTF-8 CuteNews: Security

A short guide to making your experience with CuteNews safer

Introduction

With UTF-8 CuteNews, a step toward a more secure Content Management System is made, but it is also up to you to take steps in order to minimize hacking attacks.

Choosing your Password

Because CuteNews uses a poor password encryption method (simple MD5 hashing), it is very important that you use a strong password. A hacker gaining access to the user database will not be able to see passwords directly, however he will be able to crack simple passwords easily.

Therefore, it is important that you use numbers and both lower-case and upper-case letters in your password. A password like "leonie15" can be cracked easily, whereas "Le0n1E15x" is already better to mitigate rainbow table lookups. It is also important that you stress your fellow administrators and users to choose strong passwords.

Additionally, only use your CuteNews password for CuteNews - use a different one for your e-mail account, FTP account, etc. It doesn't have to differ entirely, even for example "Le0n1E15x" and "Le0n1E27F" are safe enough for most users. Obviously, do not share your password with anyone else and if you suspect that someone has been using your account, change your password.

Security through Obscurity

Hiding the direct path to the CuteNews administration panel is not an easy task! If error messages aren't suppressed, it is actually impossible to hide the path to the administration area in CuteNews 1.4.6 (or earlier); this is fixed in UTF-8 CuteNews.
Here's how you'll give hackers a tough time to even find the administration panel of your CuteNews installation:
  1. Rename index.php: Rename index.php to something else, e.g. "CuteN_Admin.php" (something not too obvious). Be sure you change the value of $PHP_SELF in index.php to the new name of index.php. Open index.php (respectively its new name) and find the following code:
    $PHP_SELF = 'index.php';
    ... and replace index.php with the new file name.
  2. CuteNews folder: Hiding the direct path to the CuteNews directory is very hard, as the script uses it to upload images and store its smilies therein. It is possible to hide the path to the administration area by creating a new folder and changing a few lines of code, but renaming the index.php file (and having a reasonably low number in the login ban setting) should be alright as it is.
An important security measure is to set the number of allowed login attempts before the IP address gets banned to a low number (I advise setting the setting to 5). This function, which is only available in UTF-8 CuteNews, protects you from brute force attacks.

Questions

Is CuteNews safe?
UTF-8 CuteNews is reasonably safe. Administrators no longer can execute PHP code, desynchronize your database; nor does it allow users to register user names which already exist (in different lower-case and upper-case). The real problem with CuteNews is that due to its popularity and lack of official support, known flaws spread quickly and aren't fixed adequately.
The goal of UTF-8 CuteNews, in the aspect of security, is to make your CuteNews experience safer and to educate users on how they can stay safe from hackers. Although CuteNews 1.4.6 is more or less safe on the outside – apart from its vulnerability to brute force attacks -, the administration panel is full of holes.

Should I take measures to hide the folder name in which CuteNews is?
You should be safe enough if you have the Login Ban function set to a reasonable number. Simply renaming index.php to something else – as explained above – already is a very good security measure.