Slashdot Mirror

← Back to Stories (view on slashdot.org)

PostNuke Open Source CMS Attacked

Posted by michael on from the ruh-roh-shaggy dept.

ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."

13 of 300 comments (clear)

  1. Re:PostNuke by RollingThunder · · Score: 1, Informative

    PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.

  2. Shhhh by temojen · · Score: 2, Informative

    NSA_KEY

  3. Re:PostNuke by pogofish · · Score: 2, Informative

    good god, it took forever to find what they're about. Who invented their navigation scheme, Rube Goldberg? Their about page is http://docs.postnuke.com/index.php?module=Static_D ocs&func=view&f=/aboutpn/whatispn.htm

    --

    A man without a God is like a fish without a bicycle.
  4. paFileDB isn't Free Software by Anonymous Coward · · Score: 2, Informative

    The vulnerability in this case was in the non-free download utility. Woops.

  5. Content Management Systems by echocharlie · · Score: 3, Informative
    PostNuke was a fork of PHP-Nuke, which itself was a poor system to develop and maintain. It doesn't surprise me that this has happened to PostNuke despite their efforts to secure the system. I'm glad they discovered this relatively quickly though.

    --
    AnimeNEXT anime convention
  6. Nothing to see here... by Fnkmaster · · Score: 2, Informative
    These big Open Source CMS packages (PHPNuke and PostNuke in particular) seem to be extremely common targets of exploits. I don't think this is a function of being Open Source, since it specifically seems to apply to this type of software.


    I remember several SQL injection exploits for PHPNuke that seemed to be widely deployed in the script kiddie community. I am not sure if the underlying reason these packages are so vulnerable is pure sloppy programming (which seems to be present in a fair number of random PHP scripts out there - I won't comment on PostNuke in particular since I don't know it), the fact that they try to do so much functionality-wise leading to a lot of under-tested, under-reviewed code, or that they tend to be modular in nature, with lots of third party developers writing modules that end up getting widely deployed by users of the CMS, and thus being of more variable quality than you would expect if every checking was reviewed at least somewhat centrally by the core developers.


    So in short, it's more likely a function of there being a lot of crappy code with obvious exploits in it AND that code being Open Source, however you explain that crappy code being there in the first place.

    1. Re:Nothing to see here... by BusDriver · · Score: 2, Informative

      Postnuke is a fork of PHP-Nuke, but they hardly contain the same code anymore.

      PHP-Nuke is developed by one person who (in my opinion) has very werid ideas of open source and how things should be done. He's basically a one man team and doesn't want anyone else touching his baby. They consistantly find new bugs in PHPNuke's core modules.

      PostNuke on the other hand is developed by a team of good, knowledgeable people. There have been very few exploits for the PostNuke core modules.

      Of course, both these CMS's support 3rd party modules and often these are where the exploits are found. Because of this, people have this idea that the CMS's themselves are badly coded/vunerable, when in fact it's badly written 3rd party modules.

      I run a PostNuke site myself (as you can probably tell by my bias above), but I also use mod_security and grsecurity to help keep the site tightened down, I have a lot of 3rd party modules myself and I just know they're going to get exploited at some stage!

  7. Re:Backdoor.... by jfengel · · Score: 2, Informative

    Provable? Really? When was the last time you saw any product proven secure, even with the source?

    Perhaps I'm being over-literal; "proof" is a very, very high standard which almost nothing ever lives up to. Even if the code doesn't contain obviously:

    if(password == guess || guess == "b4ckd00r")) { ... }

    there are a million ways for a clever programmer to insinuate a back door that would survive substantial scrutiny.

    You don't need me to rehash the various security advantages of closed vs. open source; that's happening all over this thread. But I don't think it's up to closed source developers to prove their safety, since it's an impossibly high standard. The have the advantage of a more tightly controlled software development base (in contrast to community-developed software, although I realize that not all open-source is developed that way.) It's not perfect, but nothing is perfect shy of genuine proof, and the merits of each are debatable.

    I would personally love to see open source programs written in a language that admitted proofs; it's impossible in C and C++ and extremely unlikely in Java and C#. I'd love to see projects make formally stated claims like "only allows users with valid passwords" and have you run your proof-checker against the source code, just like you check the MD5s of all the software you download. (You do check all those MD5s, don't you?)

    It doesn't even have to be open source; both Java's VM and C#'s VM run substantial proofs on the object code. They're not sufficient to guarantee against malicious modification of the source code base. A proof language could be.

  8. Re:Proprietary No Better by Anonymous Coward · · Score: 1, Informative

    "BIND is a perfect OSS example of crappy security"
    You say this because:
    1. Its (currently) a popular opinion
    2. BIND has had some security issues in the past

    Yet most of the worlds DNS uses bind, its an excellent piece of software, its fast, stable and feature rich..

    Are you could to say Apache is a perfect OSS example of crappy security? They've had plenty of their own problems, but you don't hear anyone harping about how they are insecure..

  9. Re:You gotta love biased terms by Domox · · Score: 1, Informative

    zealot Audio pronunciation of "zealot" ( P ) Pronunciation Key (zlt) n. 1. 1. One who is zealous, especially excessively so. 2. A fanatically committed person. 2. Zealot A member of a Jewish movement of the first century A.D. that fought against Roman rule in Palestine as incompatible with strict monotheism. A Zealot is not a derrogatory term now a days, checkout definition 1-2

  10. Re:Backdoor.... by tshak · · Score: 2, Informative

    And M$ software does not contain any backdoors?

    Considering the fact that most software at MS gets audited internally by completely seperated teams, and a lot of software gets addition audits by a third partys (MS is one of @Stakes customers), I would conclude that it is at least as unlikely that a backdoor exist in MS software as it would most any OSS project.

    Additionally, as already mentioned, many backdoors are carefully hidden, therefore limiting the potential benefit of having lots of people casually browsing for the source.

    --

    There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  11. Re:Backdoor.... by d_jedi · · Score: 2, Informative

    Considering Microsoft opens it's source to numerous governments, Nato, etc. I highly doubt it contains any backdoors.

    --
    I am the maverick of Slashdot
  12. PostNuke is _not_ PHPNuke by iammaxus · · Score: 2, Informative

    PostNuke was split from the PHPNuke code a few years ago and they have gone very different ways. PostNuke is much more secure and better coded. It is also truly open source, unlike PHPNuke's pay-to-get-the-latest-version scheme.