Slashdot Mirror
PostNuke Open Source CMS Attacked
ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."
this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?
Monstar L
and how can we be sure that closed source software doesn't contain backdoors? open the source!
And M$ software does not contain any backdoors? If M$ and the (rest) of the proprietary/closed-source/hood-welded-shut consortium is going ot make accusations of this nature, they should be able to back up their stance with, at the very least, an opposite and proveable condition in their own software.
They have a very attractive website but this is the first I have ever heard of them, and try as I might I hunted high and low for a short, snappy answer to the questions of who are these people and what do they do? A link saying "about us" or a short paragraph explaining what they do would be a help. If I spent a bit more time there and trawled through the many articles I may have eventually figured it out, but my frustration threshold had already been passed and I had moved along.
Drill baby drill - on Mars
Developers free software content management system PostNuke security announcement vulnerability download management software attacker hacked PostNuke download. Version PostNuke download site Sunday GMT Tuesday GMT. Proprietary software zealots open source contain backdoors.
All I'm asking is can I get a Beowulf cluster of dat.
vicious, untreated political sewage...niche entertainment for the spiritually unattractive...worshipless pap
I prefer the backdoors that I can see and deal with to the ones I cannot.
How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?
...?
From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).
- Sadiq
http://www.syswear.com/ - Geek t-shirts
Wasn't there a company recently that basically had anonymous FTP access to its corporate servers for over a year? I think it might have been Diebold, a security company. Anyway, security is becoming a pissing match between OSS and proprietary software. All software more than two lines of code has security holes. All software has flaws, be it OSS or proprietary. Why is it such a big deal when one type of software has an issue such as this? The only real issue is when a piece of software or a company has a history of producing software with crappy security. Even then, it does not mean their choice of OSS v. proprietary is bad or wrong, just that they suck at security. E.g. Microsoft has a good process, but their products suck at security. BIND is a perfect OSS example of crappy security. Does that make one process better? No, I do not think so.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
And while that's not so bad, customers often don't understand its security mechanisms so they leave lots of folders writable as well.
Pretty embarrassing for $25K per CPU...
8 of 13 people found this answer helpful. Did you?
Proprietary software zealots? Huh? I've seen plenty of open source zealots, where zealot is defined (dictionary.com) as "A fanatically committed person." I've never seen anyone be fanatic about proprietary software. I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks. Not that I'm saying it's bad to be an OSS zealot, but like so many things on slashdot, the person who submitted the article is mis-using a buzzword. How can a community that gets so pissed off about people putting i- and e- in front of things, be so accepting of cultivating our own pile of buzzwords and overusing them.
And before you bother with the standard joke, no, I'm not new here
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with exploits, virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The beauty is that now that the vulnerability is known, there are already people out there working to fix it.
No software really 100% secure. They may always have some bugs or vulnerabilities. The cool thing about Open Source is that these vulnerabilities are quickly identified and patched, simply because the information is not proprietary. Compared this to Microsoft where some person finds an exploit, or when suddenly computers start getting slammed by a new virus that exploits a new vulnerability. In this case, the vulnerability is known, but it takes them a while to come up with a response.
I don't see how this means that open source software is most likely to have backdoors. {/tinfoil hat on} I'd be more afraid about some corporation has a backdoor in their software that allows them to get my information. What is there to stop them from doing that? Isn't their code proprietary? Who can look at it? They can deny it, but how will the prove it short opening their proprietary source? {/tinfoil hat off}. So saying that Open Source is the most likely to cointain backdoors is a ridiculous proposition. Yes it may, but by its very nature, open source code is open to inspection and it doesn't take someone long to notice a backdoor and make it known to the community.
Vivin Suresh Paliath
http://vivin.net
I like
NSA_KEY
oh no... we never get any patches submitted! an i do mean never.. sorry but it just doesn't happen. that's not even an issue. :)
Even better would be if GNU tar supported such signatures automatically. For example if file extension was "tar.pgp", it could force checking the signature, and if it wasn't found or it was invalid, it wouldn't do anything. That way I wouldn't ever have to think about verifying it - I could see from the file name that it should be valid (of course, getting the trusted pgp keys might require more work..). Oh, and of course the .tar.pgp would be backwards compatible with standard tar, they would just contain some extra "checksum.pgp" file or something.
Wouldn't -any- form of downloadable software be vulnerable to this? It seems to me the issue here isn't that the software is open source so much as that the software is downloadable. Proprietary versions of a product can also be hacked. It's just that distributing the software via shinkwrap (mostly) prevents hackers from inserting a hack into the product, not the fact that the software is proprietary. It's true that open source products tend to be downloadable more often than proprietary products, but it's not their "open sourciness" that makes them vulnerable to this particular problem, just their downloadableness.
I hope that after I die the one word people use to describe me is "resurrected."
hmmm, I have always thought of post nuke, as a big smoking hole in the ground. (/me is scarred for life by knowing what was happening during the Reagan administration)
Now apparently they have discovered a big smoking hole!
Ok, I deserve a troll, or offtopic mod for that crap, but if all else fails just leave it at 1 and it will be just fine.
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
You must be new here.
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
[]'s Victor Bogado da Silva Lins
^[:wq
That's new to me, what I've read has always been the other way around, we have to worry about backdoors in closed source stuff, and that's by design!
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The vulnerability in this case was in the non-free download utility. Woops.
Doesn't Darl fit the bill?
AnimeNEXT anime convention
Wouldn't that be... the whole world, mostly?
If guns kill people, then CmdrTaco's keyboard misspells words.
You must have never gone to a .NET developer meeting. A few people in the CIS dept (the business side of IT, not the engineering folk) had such a club going, which I attended a few times for the free food, tshirts, copy of WinXP, copy of Dev Studio, etc.
These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.
At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.
no comment
Or does there seem to be a lot of sites with PHP implementations having security issues? I know that it's not the fault of the tool as much as the fault of the mechanic. But sheesh. To me it seems as if PHP is on par with Visual Basic in being a springboard for insecure code.
Yeah, those people calling free software a "cancer", unAmerican, and free software users "thieves". The people who put up Steve Barkto and continue their efforts with people like you. They are constantly going on about "fairness", "balance" and all that while themselves post the most vile garbage and run shakedowns like the BSA and SCO, which threaten and ruin people and businesses. They have even sued school systems. Not content to look bad in the media, they have purchased NBC! That's some of the most self righteous stuff out there. If that's not fanatically committed, what is?
Yet you would compare greedy jerks like that to people who expect no financial reward for their code or those who notice that free software is generally better than non free software? OK.
Of course, it does not work. People and companies are judged by what they do, not what they say.
Friends don't help friends install M$ junk.
I remember several SQL injection exploits for PHPNuke that seemed to be widely deployed in the script kiddie community. I am not sure if the underlying reason these packages are so vulnerable is pure sloppy programming (which seems to be present in a fair number of random PHP scripts out there - I won't comment on PostNuke in particular since I don't know it), the fact that they try to do so much functionality-wise leading to a lot of under-tested, under-reviewed code, or that they tend to be modular in nature, with lots of third party developers writing modules that end up getting widely deployed by users of the CMS, and thus being of more variable quality than you would expect if every checking was reviewed at least somewhat centrally by the core developers.
So in short, it's more likely a function of there being a lot of crappy code with obvious exploits in it AND that code being Open Source, however you explain that crappy code being there in the first place.
Considering NewsForge and Slashdot run on Slash, an open-source alternative to the open-source product which was trojaned, shouldn't your conspiracy theory be working the other way?
I dislike the term 'zealot' though. I would say 'enthusiast.' The term 'zealot' is just a blatent piece of invective designed to denounce someone, like a recent Fox News article that refered to groups opposed to sprawl as the 'anti sprawl mob.'
Personally I would be a fan of any well-written software that lets you do cool stuff be it open source or proprietary.
Drill baby drill - on Mars
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Ah, but Slashdot's double standards are Open Source!
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?
Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.
Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.
This security flaw was discovered in three days, unlike the security hole found in Microsoft Passport last year. From the article...
Extrortion using information gathered from hacking into corporate sites has been happening for years. I've seen reports that say it actually is rarely reported to the public, and that the situation is much worse than people know. The fact that a site that deals with open source has been targeted would be expected. And because the nature of open source deals with open collaboration means that it would have a disproportionate amount of publicly revealed reports of hacking, in comparison to proprietary sites that would keep things under wraps as much as possible.
Could anyone post a list of websites which might have downloaded and installed that backdoor so we could avoid posting any sensitive information there until we know for sure that the problem has already been resolved?
Yes... so we can avoid them...;)
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
A site is responsible for distributing an application based on a platform that's been a script kiddie playground for years now.
The site gets its source code respositories compromised.
The site's maintainers apparently don't verify any MD5 checksums on a regular basis.
The general public knownigly downloads said compromised source code without verifying any MD5 checksums either.
Boy oh boy. I thought Windows "experts" were clueless.
My website in it's original form was done in PostNuke. I had a hack of a time getting the forums stable.
Because of the editorial content that I did there - the accused used the crashing forums [and subsequent deletions of content] as a way to question my credibility as a source of reliable information.
It was also next to impossible to find content within the substrings of data - if you wanted to rebuild the crashed data.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
At one point I won a door prize of my pick between several "writing secure code" books by MS Press.
CIS people are managers who generally learn everything they know about computers from Microsoft-sponsored developer meetings. It's an incestuous little relationship, much like the one between doctors and drug companies. It's not healthy for anyone but Microsoft, believe me.
Regardless, you should have taken one of the "writing secure code" books. Microsoft does employ some very smart people, and the Microsoft Press books are often reasonably good. As a publisher, I personally rank them on about the same level as O'Reilly or Prentice Hall/Sun Microsystems, though not as good as Addison Wesley.
... for a particular CMS system? PHP-Nuke, Xoops, PostNuke? Any others that may not have these exploits? Just wondering what people out there are using/have used.
No
...and all move to slashcode already. :D
Oops, how did this get here?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.
I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.
$5 / month hosted VPS on linux = awesome!
I love how the news sites always use the term "attacker". We all know it was Doug, you know it and I know it. And thanks a lot Doug! You jerk!
--I'm not talking about dance lessons. I'm talking about putting a brick through the other guy's windshield.-
Jew, Muslim, or, to put it generally: theist.
Truth is like a shining mirror that's been shattered.
Yes, so we can avoid them. There is nothing funny about that. The point is that all of them should be immediately shut down until the backdoors are closed and the issues are resolved.
Do you really think that it was an amateur script kiddie job? Do you think that someone who managed to backdoor that software will be unable to find affected websites?
Let's stop being so naïve. I believe it is more important for people to know that someone might steal their credit card number than the temporary inconvenience of website owners which would be pressed to shut down their websites to quickly resolve the issue.
Keeping vulnerable websites secret is not even a security through obscurity, because attackers can already find those websites without any problems. Meanwhile, normal users are not notified when someone installs a backdoor. Normal users don't run network scanners. Normal users cannot read webserver download logs. And those very normal users are at risk here. They have the right to know who is serious about protecting them from credit card theft and who is not. They have the right to choose who do they prefer doing business with.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
In one breath you say that the internet was better when people had to know how to use makefiles (programming tools) to gain access to foura.
In the next breath you decry VBScript access by poor programmers.
Then you finally propose limiting access to compilers using price or whatever.
This is not logically junct. The whole first-premise of foura-access having been subject to control by having an effective "entrance exam" of getting the code and compiling it, does nothing to support your later position that access to compilation tools would make things better.
How this is "iunteresting" is beyond me.
You don't make better citizens by removing access to society. So you don't make the net better by bemoaning ready access to compilers. IT ISN'T THE COMPILERS FAULT that the net citizens have a certian "wacko" contingent that thinks it is a game of cops and robbers. Limiting access to compilers "via price" isn't goig to stop the theives from stealing the compilers to do the jobs anyway. They're criminals and they know how to do things like copy compiler CDs.
In point of fact, if everybody on the internet had to get, marginally port, and build their own client and server software people wouldn't take the net for granted so easily. That would be interesting, but it isn't even a practical thing to wish for.
Your "thought" is, by direct allegory: When I first learned to drive we didn't even have to lock our cars. Now days anybody with a coat hanger can unlock a car. Coat hangers should be a controled comodity.
HUA?
The facts are simple.
Some small percentage of people will go where they are not wanted and do unpopular things. We don't know why, because it varies from case to case. We lock our cars and we lock our homes, and we have banks and armored cars.
But the internet is made out of screen doors and cardboard walls, mostly because that is the highest standard of construction most of the people on the internet are happy to have, and they are willing to pay good money for someone to hose the cardboard down for them to make it "soft and easy to work with."
Whenever someone gets all surprised that thier unlocked straight-from-the-box system got "hacked" because they didn't even take the minimum required effort to read the manual and follow the required steps, my heart only bleeds so much before I lose interest.
Don't get me wrong. My home firewall (slackware linux plus customized firewall script I found on the net) takes *dozens* of nominal attacks a minute. In particular there is some script that about 40 different addresses have run against my system in the last five days, sending the same series of user-name-and-password sequences to my sshd. (A new exploit in the field or just a new script-kiddy example of some old one? who cares...) That PISSES ME OFF because I could be using that bandwidth to raise my points-per-hour on UT2004, get my email faster, or whatever, but it is soaked up in these litte bursts of tresspass. I've got the IP addresses of these intruders and I wish there was a way to do something about it. But its a cable modem so what are you going to do? You protect yourself and you wait for the novelty to wear off, or for the *default* security on the net to get good enough for this kind of random IP attack to become sufficently unprofitable and uncommon.
Let's face it, if Microsoft was not such a *crappy* software company, most of these port-scan fishing expeditions would never have even come into existence. It didn't require access to a compiler to figure out that IIS could be owned by adding double-dot elements to a valid URL to reach the root folder on Windows based servers. It doesn't take much at all to make a dictionary attack on a site.
Turing the internet into a vast field of X-Box appliances that can only be accessed by "trusted corporations" isn't a viable direction. And any "lets make it expensive and controlled" to any degree short of complete draconian separation w
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
There are plenty of alternatives. A quick search at freshmeat.net for CMS reveals many when sorted by popularity. I'm still using nuke because I have too much content invested in the architecture to easily switch now. But Plone looks good to me. I suppose it mostly depends on what a publisher is looking for in features. I was originally attracted to phpNuke because of all the modules and huge development community. Now I've found that it's the modules that provide most of the security vulnerabilities, so I've had to disable them all.
Running your site on a popular publishing platform is great except that there are hundreds of krackers huntng exploits in the software and when one is found, there are hundreds of attackers searching google for sites running the software with the vulnerability. Although obscurity is no reliable form of security, I would prefer it to being a high-profile target.
$5 / month hosted VPS on linux = awesome!
It's well known to be riddled full of security holes, it's horrible to maintain or extend, it looks and feels unprofessional, and it falls apart under pressure.
Kids, if you want a real content management system like grown-ups use, you should download Plone. It's high quality free open source software, it works great right out of the box, it's secure, and it cooks a lot better than a 60 watt lightbulb.
-Don
Take a look and feel free: http://www.PieMenu.com
OSS critics fail to realize that Open Source refers to the style of lisence that the software has. Open Source is not really a "brand" like Microsoft.
This particular software may not be extremely well written. It just so happens the authors decided to GPL it, making it Open Source. Just sticking a lisence on the software and revealing the source code doesn't magically make it good or bad.
There are plenty of bad programs released under the GPL, just like there are plenty of bad closed-source products out there.
"You spoony bard!" -Tellah
Go on, you know you want to - respond as AC if you need to. :)
creation science book
It WASN'T designed with security in mind. (not to mention php-nuke, heh).
I wonder if the "nuke" in the name already gave us a hint?
Plone runs on top of the Zope application server. Zope is quite secure, and it scales up reliably to manage huge web sites, like The Boston Globe.
-Don
Take a look and feel free: http://www.PieMenu.com
How many millions has Ballmer made from being "fanatic about his near-religious institution"? If I was snorting coke off a 20 thousand dollar hooker's ass with a rolled up hundred dollar bill, I might become a bit fanatical too. That still doesn't show a trend in "real people."
I thought that BIND 9 was actually pretty good in the security department. At least it seems to be much better than 8 or 4. Or am I wrong?
----- Question authority, but not ours. Hate the man, but we're not him.
Well, you may not be new here, but I can assure you that I am surrounded by M$ fanatics, who waste millions of (tax) dollars buying M$ crap for public education, when there are far better OSS solutions available. I deal with constant subtle (and sometimes not so subtle) pressure to give up linux and join the Dark Side ;-) at work. Of course, I smile as they spend their lunch hour dealing with M$ network and OS problems, while I actually eat lunch! :-) They refuse to even step inside my lab and look at linux...so I guess, in addition to being closed source fanatics, they are close minded fools as well! :-)
-- "May the Source be with you!"
Next time, smile, take the book, and sell it on ebay, then donate proceeds to an OSS project ;-).
Or just use it for an endless series of jokes..."...my PHB said he was concerned about all these M$ security problems, so I told him: 'No problem, I have the M$ security bible right here...ROTFL'..."
-- "May the Source be with you!"
so I guess, in addition to being closed source fanatics, they are close minded fools as well!
You've actually spelled out the jist of my whole argument. I don't think they are closed source fanatics at all, but they ARE closed minded fools. Using what you are familiar with because you are scared of change doesn't make you a zealot, it makes you timid. I don't think the hordes of people out there using MS, and even advocating its use, are doing so because they adore closed source software, it's because they don't understand the benefits of open source, and haven't been educated enough to change their closed minds, or even to make an informed decision about the choices and think for themselves. Instead, they are mostly doing what they've always done, because familiarity breeds comfort.
To use a religious analogy, and please don't jump down my throat thinking I'm attacking Christians. I'm not. A closed minded Christian might lobby to have evolution removed from a school curriculum. A zealot Christian might scream at you and call you a blasphemer for even bringing up the subject. Both are difficult to deal with, and even annoying, but a closed minded person has a small chance of having his mind changed if forced to face the facts. A zealot is more likely to lash out at you when cornered.
A zealous persuit of profits is called greed. When you do it at the expense of others it is criminal. Calling people names is also known as Slander, a crime. Lying about the capabilities of something you are selling is a form of fraud. Threatening people you do business with is called extortion, also a crime. Threatening people with lawsuits is judicial extortion, another form of fraud. Manipulating stock prices is also fraud. If these are your heros, you may also be a criminal, extortionist, liar and fraud.
Here's the real nitty-gritty... if you are a strong supporter of open source, you are doing it for intangible reasons.
Like love of truth and fellow man? Maybe, and that's not a bad motive. It might also be a form of reputation protection. You see, people I lie to have a tendency not to trust me anymore. Without trust, I don't have much business. It's in my best interest to honestly evaluate things and faithfully report what I find to friends and business associates.
While stock prices might not exactly be tangible, the new Ferarri sitting in the garage sure as hell is. In the proprietary software world, it all comes down to the Benjamins.
So, what's your motive? I imagine you don't have a Ferarri in the garage and know that you won't get one trying to sell Windoze software these days.
Friends don't help friends install M$ junk.
Why would anyone ever trust a developer release? Seriously, I download something from the developers' site once in a blue moon when I'm working on the code. Any other time, I wait for a system integrator to worry about all of the issues that I don't have time for (does it play nice with the other 750 packages I have installed? is it a substantial change that is going to break compatibility with other systems? Did important bug-fixes get picked up or do they need to be re-integrated with this version? Are there any new security issues? etc...)
Why on earth anyone would want to take on all of that work just to get some features a few months early I can't imagine. I have better things to do with my time.
I'm guessing it is Microsoft Content Management Server.
Who else but Microsoft could get a PHB to fork over 25 large for a CMS that is no more capable than some of the free ones out there? Also, the phrases "World Readable" and "Word Writable by default" smell of old Microsoftware.
While I appreciate PostNuke and all the PHPNuke spinoffs that have appeared over the years, they all have contributed to making PHP seem like a poor language choice given their failure to enforce standards or even review code, they incorporate, properly. Does it work? Ok let's use it. Did it break anything? Ok distribute it. I have personally designed 3 CMS systems and worked on 2. Never have I failed to review and comment EVERY SINGLE LINE of code nor have I ever incorporated or written any code that has directly resulted in the systems being compromised. I tried installing PHPNuke all of 6 months ago and it was a mess. In my professional opinion, I cannot recommend PHPNuke.
No I am not here to push any other package nor to encourage ppl to "write their own" when I'm sure you can dig up preferable and reliable alternatives from as far as two years back.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
BIND is the market leader, and there is more info out there than for any other DNS. It's security issues are overblown (as they are not issues in the latest version). It is rock-solid stable and consumes relatively few resources.
I'm open to suggestions, save for one perhaps: Microsoft's DNS. The MS implementation is (or long had been) broken in terms of complying with specifications. In my experience it was less reliable as well. BIND9 hasn't caused *me* any real problems anyways--it even does dynamic DNS with my DHCP clients without a hitch (once I figured out how to config it).
PHP-Nuke (which PostNuke is a fork off) has always been know for being hideously insecure, with most of the vulnerabilities either to do with not checking supplied variables (SQL injection) or admin.php (the admin script for adding news/downloads/forums/etc).
downloads.postnuke.com was using a copy of paFileDB modified to be integrated as a PostNuke module, which would shift admin access for the downloads over to PN's admin.php. Could it be possible that the intruder got access to it via an admin.php vulnerability?
"With Microsoft, you get Windows. With Linux, you get the full house" - unknown
"The thing is, it was not the result of a malicious code infection, but a direct addition by the original Borland/Inprise authors done before the program was released as open source"
So, an admin type back door, not a hack.
Frankly, I'm surprised we don't see more problems like this in widely used open source systems like this.
I look at this infrequency as a testament to the development skills of the community at large.
scott king
PostNuke was split from the PHPNuke code a few years ago and they have gone very different ways. PostNuke is much more secure and better coded. It is also truly open source, unlike PHPNuke's pay-to-get-the-latest-version scheme.
Reading the article you may wish to note the fact that the Postnuke software package does not contain the exploit. It was the download management software they use to distribute the package called Postnuke that was exploited.
Simply put what was exploited was not not code contained within postnuke but instead a package called pafiledb.
It would seem everyone is saying its the Postnukes teams fault. If your going to jump someones case you should actually go after the developers of PHPArena.
While I understand what you are trying to say I disagree with the " if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from" statement.
Don't do!= Don't know how to do.
I am not security guy at MS, but I happen to know a bunch of them. They are, for the most part, VERY good at what they do. However, for better or for worse, there are other factors that dictate a certain course of action. Say, for example, brain dead upper management.
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
I didn't blame the core developers directly in my posts. But yes, they do share the blame. They should have constructed the handles for modules such that no module can touch the database directly. As it is, SQL injections are rampant in the third-party stuff. It shouldn't be a matter of the module developers following guidelines. It should be a matter of what those developers are allowed to do via the code interfaces.
But I was cutting them (the phpNuke core coders) slack because they have worked their asses off building something cool that they believe in. The people who really deserve criticism are the vanity krackers who deface all the phpNuke websites.
I'm glad other posters in this discussion have differentiated post-Nuke from phpNuke. I wasn't aware that the new generation CMS is safer. Still, when I get around to migrating my site to a new CMS, I'm going for something a little lower-profile than Nuke. I'd also like to obfuscate the paths so URL searches won't help krackers find my site on google if a vulnerability is found.
$5 / month hosted VPS on linux = awesome!
of saying something I'd say. Well close enough.
I think this has more to do with PostNuke being ass, and a lot less with any inherent flaw in open source itself.
Game... blouses.
Could anyone post a list of websites which might have downloaded and installed that backdoor so we could avoid posting any sensitive information there until we know for sure that the problem has already been resolved?
.know how to n. oh forget it.
:)
Yes. And while we are at it, can someone post the bank safe combinations for all the banks with safes so we.... er...
Nice try
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Post Nuke is a REALLY good CMS system. In fact it is one of the best I have used.
For thoose of you that havent used this system, or who talk negatively about it, I think you should try it out.
Its more complex then many other CMS systems, and requires a degree of website design skills. I wouldnt recommend another system.
PostNuke.com wasnt using the postNuke downloads sections and it suffered. I am sorry to see the bad press.
I would challenge anyone to find a better document management solution then postNuke+pagesetter.
Also the security of postNuke is extremely good.
Lastly People here complain about PHP as beign a poor language to work in. The ignorance of these statements is sad. I really wish these people had a firm grasp of php + smarty, and phpADO.
Sorry, but I fear Java code more then I will ever worry about php. Plus, no other language for the web supports the shear number of open source applications then PHP.
I love Drupal!
In addition... PHPNuke, and PostNuke doesn't even share the same code.
I love Drupal!
Sorry but that's not ironic. You would expect that if any unknown backdoors existed in a closed-source application that they would be found when the source was opened -- that's just common sense. Irony is hard to describe but typically applies when something unexpected happens.