PostNuke Open Source CMS Attacked

ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."

You gotta love biased terms

[antifoidulus]

this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?

PostNuke

[fiannaFailMan]

They have a very attractive website but this is the first I have ever heard of them, and try as I might I hunted high and low for a short, snappy answer to the questions of who are these people and what do they do? A link saying "about us" or a short paragraph explaining what they do would be a help. If I spent a bit more time there and trawled through the many articles I may have eventually figured it out, but my frustration threshold had already been passed and I had moved along.

Re:PostNuke

[jaysmall]

Those URL arguments are, as I remember, mostly carryovers from PHP-Nuke.

The Nuke variants are all designed to be highly modular portalware, but in my opinion, the modules and indeed some of the core components vary widely in programming quality.

But this is a huge, diverse software package and it has plenty of lines of code to represent both the best and worst of open source.

Wait wait...

[SysWear]

How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?

From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).

...?

- Sadiq
http://www.syswear.com/ - Geek t-shirts

Re:Wait wait...

[ergo98]

How can this be to do with proprietry software and open source...

It has nothing whatsoever to do with proprietary Vs open source, and the addition of that incendiary flamebait in the submission was completely unnecessary trolling. Amazing how the majority of the comments thus far have been knee-jerk reactions with the chorus of the converted fervently preaching to their pewmates.

The nature of Open Source

[vivin]

The beauty is that now that the vulnerability is known, there are already people out there working to fix it.

No software really 100% secure. They may always have some bugs or vulnerabilities. The cool thing about Open Source is that these vulnerabilities are quickly identified and patched, simply because the information is not proprietary. Compared this to Microsoft where some person finds an exploit, or when suddenly computers start getting slammed by a new virus that exploits a new vulnerability. In this case, the vulnerability is known, but it takes them a while to come up with a response.

I don't see how this means that open source software is most likely to have backdoors. {/tinfoil hat on} I'd be more afraid about some corporation has a backdoor in their software that allows them to get my information. What is there to stop them from doing that? Isn't their code proprietary? Who can look at it? They can deny it, but how will the prove it short opening their proprietary source? {/tinfoil hat off}. So saying that Open Source is the most likely to cointain backdoors is a ridiculous proposition. Yes it may, but by its very nature, open source code is open to inspection and it doesn't take someone long to notice a backdoor and make it known to the community.

Does anyone have a preference...

[arashi+sohaku]

... for a particular CMS system? PHP-Nuke, Xoops, PostNuke? Any others that may not have these exploits? Just wondering what people out there are using/have used.

nuke has dozens of exploits

[SethJohnson]

I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.

I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.

Re:nuke has dozens of exploits

[gregmac]

It's fairly well known in the web development community (espessially among php developers) that PhpNuke is a horribly designed piece of software. I haven't looked at in a while, but it looks to me like the foundation of everything is flawed, and thus there are tons of security holes. It's basically at the point that PhpNuke is the Windows of the CMS world (take that however you want).

I personally hate most CMS, because they're almost always created in the same pattern: design small CMS to post news articles, expand till it's doing the whole site, realize that your structure isn't flexible enough, continue modifying until you have something that is upgradable on your existing structure but that ALMOST gets the flexibility you need. I've been there - I had a very nice CMS at an old job during the .com that had been redesigned once already, and was about to be totally overhauled again to be based entirely on the concept of "blocks" - each page would be constructed of them. Add a header block, then a news listing block. If you wanted to, you could use multiple blocks on one page (ie, a file download section, and a forum). Unfortunately, that was when the company became a dot bomb, and I never got to finish it.

The best CMS I've come across so far is Mambo. It's design is relatively good, and it's interface is fairly nice. It does suffer from the same growing pains syndrome as the rest (ie, it has "components" and "modules" - components make up the bulk of a page, modules can be added along the side, or top/bottom). They're starting to merge them now so there's less of a difference - but again, it really should be designed that way from the ground up.

Re:Raise the bar.

[bigNuns]

"...and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client."

what crack are you smoking? i dont remember ever compiling a damn thing in order to log into IRC via a vax terminal. I'm sure someone did somewhere, but it surely was not me. *cough, vax terminal* And yes this was pre web.

Yes, if only the internet was still just for elitest techies, with only 100 "qualified" programmers, then we would really have something.

This is a really stupid troll.

Re:Content Management Systems

[Dracos]

Xaraya is a fork of PostNuke, written by the people who forked PostNuke from PHPNuke (and who left the project en masse in August 2002, including myself).

Xaraya shares no code and little architecture with any CMS in the nuke family... it is somewhere between CMS and application framework.