Slashdot Mirror

← Back to Stories (view on slashdot.org)

PostNuke Open Source CMS Attacked

Posted by michael on from the ruh-roh-shaggy dept.

ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."

14 of 300 comments (clear)

  1. You gotta love biased terms by antifoidulus · · Score: 5, Interesting

    this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?

    --
    Monstar L
    1. Re:You gotta love biased terms by caseydk · · Score: 5, Insightful


      Because if you can label them something bad (racist, homophobe, zealot, nutball, nazi, commie, etc), then you can promptly dismiss their argument without addressing it.

  2. and closed source? by parawing742 · · Score: 5, Insightful

    and how can we be sure that closed source software doesn't contain backdoors? open the source!

    1. Re:and closed source? by tgma · · Score: 4, Insightful

      Exactly - isn't the point that with an open source project, with a team of developers and users, this backdoor was identified within a couple of days? Whereas with a closed source project, the problem could have gone unnoticed for some time.

      Or worse, it could have been noticed, and left unmentioneded, in the hope that no one would notice, and it would go away by itself. You don't hear about open source projects using the DMCA to get whisteblowers to shut up, do you?

    2. Re:and closed source? by acidblood · · Score: 4, Insightful

      Actually, we have an example where a backdoor on a closed source software went unnoticed for a long time. It was only found when, ironically, the software was open-sourced. Story here.

      --

      Join the NFSNET. Our prime goal is making little numbers out of big ones. http://www.nfsnet.org/

  3. Friend or Foe by jbrelie · · Score: 5, Insightful

    I prefer the backdoors that I can see and deal with to the ones I cannot.

    1. Re:Friend or Foe by Anonymous Coward · · Score: 5, Funny
      I prefer the backdoors that I can see and deal with to the ones I cannot.


      Must... resist... goatse... troll...

  4. Wait wait... by SysWear · · Score: 5, Interesting

    How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?

    From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).

    ...?

    - Sadiq
    http://www.syswear.com/ - Geek t-shirts

  5. Article submitter: -1, troll by MustardMan · · Score: 4, Insightful

    Proprietary software zealots? Huh? I've seen plenty of open source zealots, where zealot is defined (dictionary.com) as "A fanatically committed person." I've never seen anyone be fanatic about proprietary software. I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks. Not that I'm saying it's bad to be an OSS zealot, but like so many things on slashdot, the person who submitted the article is mis-using a buzzword. How can a community that gets so pissed off about people putting i- and e- in front of things, be so accepting of cultivating our own pile of buzzwords and overusing them.

    And before you bother with the standard joke, no, I'm not new here

  6. Why the packages weren't signed? by bogado · · Score: 5, Insightful

    This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.

    you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).

    Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.

    --
    []'s Victor Bogado da Silva Lins

    ^[:wq

    1. Re:Why the packages weren't signed? by Stinking+Pig · · Score: 4, Insightful

      you mean like rpm or deb do?

      Anyway, signatures don't solve the problem if the build system is hacked, because it's the trojaned code that gets signed.

      --
      "Nothing was broken, and it's been fixed." -- Jon Carroll
  7. Re:PostNuke by Maestro4k · · Score: 5, Insightful
    • PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.
    Those of us without a need for Content Mangament Systems certainly aren't hiding under any rocks. To give a real-life example I'm sure most people here would have no clue what the program Smartr is for, simply because they have no need to do bus routing. Does that mean they were hiding under a rock oblivious to the world?
  8. Re:Article submitter: -1, troll by zapp · · Score: 4, Funny

    You must have never gone to a .NET developer meeting. A few people in the CIS dept (the business side of IT, not the engineering folk) had such a club going, which I attended a few times for the free food, tshirts, copy of WinXP, copy of Dev Studio, etc.

    These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.

    At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.

    --
    no comment
  9. nuke has dozens of exploits by SethJohnson · · Score: 4, Interesting



    I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.

    I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.

    --
    $5 / month hosted VPS on linux = awesome!