Slashdot Mirror
PostNuke Open Source CMS Attacked
ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."
this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?
Monstar L
and how can we be sure that closed source software doesn't contain backdoors? open the source!
And M$ software does not contain any backdoors? If M$ and the (rest) of the proprietary/closed-source/hood-welded-shut consortium is going ot make accusations of this nature, they should be able to back up their stance with, at the very least, an opposite and proveable condition in their own software.
Developers free software content management system PostNuke security announcement vulnerability download management software attacker hacked PostNuke download. Version PostNuke download site Sunday GMT Tuesday GMT. Proprietary software zealots open source contain backdoors.
All I'm asking is can I get a Beowulf cluster of dat.
vicious, untreated political sewage...niche entertainment for the spiritually unattractive...worshipless pap
I prefer the backdoors that I can see and deal with to the ones I cannot.
How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?
...?
From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).
- Sadiq
http://www.syswear.com/ - Geek t-shirts
And while that's not so bad, customers often don't understand its security mechanisms so they leave lots of folders writable as well.
Pretty embarrassing for $25K per CPU...
8 of 13 people found this answer helpful. Did you?
Proprietary software zealots? Huh? I've seen plenty of open source zealots, where zealot is defined (dictionary.com) as "A fanatically committed person." I've never seen anyone be fanatic about proprietary software. I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks. Not that I'm saying it's bad to be an OSS zealot, but like so many things on slashdot, the person who submitted the article is mis-using a buzzword. How can a community that gets so pissed off about people putting i- and e- in front of things, be so accepting of cultivating our own pile of buzzwords and overusing them.
And before you bother with the standard joke, no, I'm not new here
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with exploits, virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Even better would be if GNU tar supported such signatures automatically. For example if file extension was "tar.pgp", it could force checking the signature, and if it wasn't found or it was invalid, it wouldn't do anything. That way I wouldn't ever have to think about verifying it - I could see from the file name that it should be valid (of course, getting the trusted pgp keys might require more work..). Oh, and of course the .tar.pgp would be backwards compatible with standard tar, they would just contain some extra "checksum.pgp" file or something.
Wouldn't -any- form of downloadable software be vulnerable to this? It seems to me the issue here isn't that the software is open source so much as that the software is downloadable. Proprietary versions of a product can also be hacked. It's just that distributing the software via shinkwrap (mostly) prevents hackers from inserting a hack into the product, not the fact that the software is proprietary. It's true that open source products tend to be downloadable more often than proprietary products, but it's not their "open sourciness" that makes them vulnerable to this particular problem, just their downloadableness.
I hope that after I die the one word people use to describe me is "resurrected."
You must be new here.
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
[]'s Victor Bogado da Silva Lins
^[:wq
-
PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.
Those of us without a need for Content Mangament Systems certainly aren't hiding under any rocks. To give a real-life example I'm sure most people here would have no clue what the program Smartr is for, simply because they have no need to do bus routing. Does that mean they were hiding under a rock oblivious to the world?AnimeNEXT anime convention
You must have never gone to a .NET developer meeting. A few people in the CIS dept (the business side of IT, not the engineering folk) had such a club going, which I attended a few times for the free food, tshirts, copy of WinXP, copy of Dev Studio, etc.
These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.
At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.
no comment
Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?
Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.
Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.
A site is responsible for distributing an application based on a platform that's been a script kiddie playground for years now.
The site gets its source code respositories compromised.
The site's maintainers apparently don't verify any MD5 checksums on a regular basis.
The general public knownigly downloads said compromised source code without verifying any MD5 checksums either.
Boy oh boy. I thought Windows "experts" were clueless.
I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.
I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.
$5 / month hosted VPS on linux = awesome!