Slashdot Mirror
PostNuke Open Source CMS Attacked
ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."
this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?
Monstar L
and how can we be sure that closed source software doesn't contain backdoors? open the source!
And M$ software does not contain any backdoors? If M$ and the (rest) of the proprietary/closed-source/hood-welded-shut consortium is going ot make accusations of this nature, they should be able to back up their stance with, at the very least, an opposite and proveable condition in their own software.
They have a very attractive website but this is the first I have ever heard of them, and try as I might I hunted high and low for a short, snappy answer to the questions of who are these people and what do they do? A link saying "about us" or a short paragraph explaining what they do would be a help. If I spent a bit more time there and trawled through the many articles I may have eventually figured it out, but my frustration threshold had already been passed and I had moved along.
Drill baby drill - on Mars
Developers free software content management system PostNuke security announcement vulnerability download management software attacker hacked PostNuke download. Version PostNuke download site Sunday GMT Tuesday GMT. Proprietary software zealots open source contain backdoors.
All I'm asking is can I get a Beowulf cluster of dat.
vicious, untreated political sewage...niche entertainment for the spiritually unattractive...worshipless pap
I prefer the backdoors that I can see and deal with to the ones I cannot.
How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?
...?
From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).
- Sadiq
http://www.syswear.com/ - Geek t-shirts
Wasn't there a company recently that basically had anonymous FTP access to its corporate servers for over a year? I think it might have been Diebold, a security company. Anyway, security is becoming a pissing match between OSS and proprietary software. All software more than two lines of code has security holes. All software has flaws, be it OSS or proprietary. Why is it such a big deal when one type of software has an issue such as this? The only real issue is when a piece of software or a company has a history of producing software with crappy security. Even then, it does not mean their choice of OSS v. proprietary is bad or wrong, just that they suck at security. E.g. Microsoft has a good process, but their products suck at security. BIND is a perfect OSS example of crappy security. Does that make one process better? No, I do not think so.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
And while that's not so bad, customers often don't understand its security mechanisms so they leave lots of folders writable as well.
Pretty embarrassing for $25K per CPU...
8 of 13 people found this answer helpful. Did you?
Proprietary software zealots? Huh? I've seen plenty of open source zealots, where zealot is defined (dictionary.com) as "A fanatically committed person." I've never seen anyone be fanatic about proprietary software. I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks. Not that I'm saying it's bad to be an OSS zealot, but like so many things on slashdot, the person who submitted the article is mis-using a buzzword. How can a community that gets so pissed off about people putting i- and e- in front of things, be so accepting of cultivating our own pile of buzzwords and overusing them.
And before you bother with the standard joke, no, I'm not new here
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with exploits, virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The beauty is that now that the vulnerability is known, there are already people out there working to fix it.
No software really 100% secure. They may always have some bugs or vulnerabilities. The cool thing about Open Source is that these vulnerabilities are quickly identified and patched, simply because the information is not proprietary. Compared this to Microsoft where some person finds an exploit, or when suddenly computers start getting slammed by a new virus that exploits a new vulnerability. In this case, the vulnerability is known, but it takes them a while to come up with a response.
I don't see how this means that open source software is most likely to have backdoors. {/tinfoil hat on} I'd be more afraid about some corporation has a backdoor in their software that allows them to get my information. What is there to stop them from doing that? Isn't their code proprietary? Who can look at it? They can deny it, but how will the prove it short opening their proprietary source? {/tinfoil hat off}. So saying that Open Source is the most likely to cointain backdoors is a ridiculous proposition. Yes it may, but by its very nature, open source code is open to inspection and it doesn't take someone long to notice a backdoor and make it known to the community.
Vivin Suresh Paliath
http://vivin.net
I like
NSA_KEY
Even better would be if GNU tar supported such signatures automatically. For example if file extension was "tar.pgp", it could force checking the signature, and if it wasn't found or it was invalid, it wouldn't do anything. That way I wouldn't ever have to think about verifying it - I could see from the file name that it should be valid (of course, getting the trusted pgp keys might require more work..). Oh, and of course the .tar.pgp would be backwards compatible with standard tar, they would just contain some extra "checksum.pgp" file or something.
Wouldn't -any- form of downloadable software be vulnerable to this? It seems to me the issue here isn't that the software is open source so much as that the software is downloadable. Proprietary versions of a product can also be hacked. It's just that distributing the software via shinkwrap (mostly) prevents hackers from inserting a hack into the product, not the fact that the software is proprietary. It's true that open source products tend to be downloadable more often than proprietary products, but it's not their "open sourciness" that makes them vulnerable to this particular problem, just their downloadableness.
I hope that after I die the one word people use to describe me is "resurrected."
You must be new here.
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
[]'s Victor Bogado da Silva Lins
^[:wq
The vulnerability in this case was in the non-free download utility. Woops.
AnimeNEXT anime convention
You must have never gone to a .NET developer meeting. A few people in the CIS dept (the business side of IT, not the engineering folk) had such a club going, which I attended a few times for the free food, tshirts, copy of WinXP, copy of Dev Studio, etc.
These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.
At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.
no comment
Yeah, those people calling free software a "cancer", unAmerican, and free software users "thieves". The people who put up Steve Barkto and continue their efforts with people like you. They are constantly going on about "fairness", "balance" and all that while themselves post the most vile garbage and run shakedowns like the BSA and SCO, which threaten and ruin people and businesses. They have even sued school systems. Not content to look bad in the media, they have purchased NBC! That's some of the most self righteous stuff out there. If that's not fanatically committed, what is?
Yet you would compare greedy jerks like that to people who expect no financial reward for their code or those who notice that free software is generally better than non free software? OK.
Of course, it does not work. People and companies are judged by what they do, not what they say.
Friends don't help friends install M$ junk.
I remember several SQL injection exploits for PHPNuke that seemed to be widely deployed in the script kiddie community. I am not sure if the underlying reason these packages are so vulnerable is pure sloppy programming (which seems to be present in a fair number of random PHP scripts out there - I won't comment on PostNuke in particular since I don't know it), the fact that they try to do so much functionality-wise leading to a lot of under-tested, under-reviewed code, or that they tend to be modular in nature, with lots of third party developers writing modules that end up getting widely deployed by users of the CMS, and thus being of more variable quality than you would expect if every checking was reviewed at least somewhat centrally by the core developers.
So in short, it's more likely a function of there being a lot of crappy code with obvious exploits in it AND that code being Open Source, however you explain that crappy code being there in the first place.
Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?
Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.
Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.
A site is responsible for distributing an application based on a platform that's been a script kiddie playground for years now.
The site gets its source code respositories compromised.
The site's maintainers apparently don't verify any MD5 checksums on a regular basis.
The general public knownigly downloads said compromised source code without verifying any MD5 checksums either.
Boy oh boy. I thought Windows "experts" were clueless.
... for a particular CMS system? PHP-Nuke, Xoops, PostNuke? Any others that may not have these exploits? Just wondering what people out there are using/have used.
No
I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.
I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.
$5 / month hosted VPS on linux = awesome!
I love how the news sites always use the term "attacker". We all know it was Doug, you know it and I know it. And thanks a lot Doug! You jerk!
--I'm not talking about dance lessons. I'm talking about putting a brick through the other guy's windshield.-
Dangerous Dianic d00dz
Degenerate Druidic Desperadoes
Angry Asinine Animists
Oily Ogling Odinists
there ya go, let no man feel left behind!
OSS critics fail to realize that Open Source refers to the style of lisence that the software has. Open Source is not really a "brand" like Microsoft.
This particular software may not be extremely well written. It just so happens the authors decided to GPL it, making it Open Source. Just sticking a lisence on the software and revealing the source code doesn't magically make it good or bad.
There are plenty of bad programs released under the GPL, just like there are plenty of bad closed-source products out there.
"You spoony bard!" -Tellah
But aside from all that, what have the Romans ever done for us?
Black and grey are both shades of white.
I'm guessing it is Microsoft Content Management Server.
Who else but Microsoft could get a PHB to fork over 25 large for a CMS that is no more capable than some of the free ones out there? Also, the phrases "World Readable" and "Word Writable by default" smell of old Microsoftware.
PostNuke was split from the PHPNuke code a few years ago and they have gone very different ways. PostNuke is much more secure and better coded. It is also truly open source, unlike PHPNuke's pay-to-get-the-latest-version scheme.
Reading the article you may wish to note the fact that the Postnuke software package does not contain the exploit. It was the download management software they use to distribute the package called Postnuke that was exploited.
Simply put what was exploited was not not code contained within postnuke but instead a package called pafiledb.
It would seem everyone is saying its the Postnukes teams fault. If your going to jump someones case you should actually go after the developers of PHPArena.