Slashdot Mirror

← Back to Stories (view on slashdot.org)

PostNuke Open Source CMS Attacked

Posted by michael on from the ruh-roh-shaggy dept.

ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."

8 of 300 comments (clear)

  1. You gotta love biased terms by antifoidulus · · Score: 5, Interesting

    this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?

    --
    Monstar L
    1. Re:You gotta love biased terms by caseydk · · Score: 5, Insightful


      Because if you can label them something bad (racist, homophobe, zealot, nutball, nazi, commie, etc), then you can promptly dismiss their argument without addressing it.

  2. and closed source? by parawing742 · · Score: 5, Insightful

    and how can we be sure that closed source software doesn't contain backdoors? open the source!

  3. Friend or Foe by jbrelie · · Score: 5, Insightful

    I prefer the backdoors that I can see and deal with to the ones I cannot.

    1. Re:Friend or Foe by Anonymous Coward · · Score: 5, Funny
      I prefer the backdoors that I can see and deal with to the ones I cannot.


      Must... resist... goatse... troll...

  4. Wait wait... by SysWear · · Score: 5, Interesting

    How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?

    From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).

    ...?

    - Sadiq
    http://www.syswear.com/ - Geek t-shirts

  5. Why the packages weren't signed? by bogado · · Score: 5, Insightful

    This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.

    you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).

    Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.

    --
    []'s Victor Bogado da Silva Lins

    ^[:wq

  6. Re:PostNuke by Maestro4k · · Score: 5, Insightful
    • PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.
    Those of us without a need for Content Mangament Systems certainly aren't hiding under any rocks. To give a real-life example I'm sure most people here would have no clue what the program Smartr is for, simply because they have no need to do bus routing. Does that mean they were hiding under a rock oblivious to the world?