PostNuke Open Source CMS Attacked 300
ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."
You gotta love biased terms (Score:5, Interesting)
Re:You gotta love biased terms (Score:5, Insightful)
Because if you can label them something bad (racist, homophobe, zealot, nutball, nazi, commie, etc), then you can promptly dismiss their argument without addressing it.
Re:You gotta love biased terms (Score:2)
"Christian" and "right wing child-eating extremeists"
Re:You gotta love biased terms (Score:3, Funny)
Boy, that's a whole lotta redundancy...
Re:You gotta love biased terms (Score:3, Funny)
It also has some really bad spelling. Leave it to the left-wing pillow-biting tree huggers to leave literacy for the golden arches of welfare.
Sorry. I just had to say it. :-)
Re:also... (Score:2)
Re:also... (Score:2, Funny)
Degenerate Druidic Desperadoes
Angry Asinine Animists
Oily Ogling Odinists
there ya go, let no man feel left behind!
Re:also... (Score:3, Funny)
Re:You gotta love biased terms (Score:2, Funny)
Pfft! I don't have to listen to your explanation, you freaky nutjob!
Re: (Score:2)
and closed source? (Score:5, Insightful)
Re:and closed source? (Score:2, Funny)
Re:and closed source? (Score:5, Insightful)
Or worse, it could have been noticed, and left unmentioneded, in the hope that no one would notice, and it would go away by itself. You don't hear about open source projects using the DMCA to get whisteblowers to shut up, do you?
Re:and closed source? (Score:5, Insightful)
Re:and closed source? (Score:3, Insightful)
It's not the fast identification that's the most important, it's the fast solution that is, and no company with closed sources can do that faster and better than the OSC (i.e. open source commnunity).
Re:and closed source? (Score:3, Funny)
Well no. But the open source crowd claim to be better and more efficient at many things. Perhaps they are better at dealing the whistlebowers as well. Perhaps, with a little bit of investi$%@#+++carrier lost
Re: (Score:2)
Re:and closed source? (Score:3, Insightful)
We don't, and to make it worse we likely wouldn't find out about an attack like this directly from the company involved. Companies are notoriously wary of even reporting breakins to the FBI because it would look bad to their shareholders. Given that, if the same scenario happenned with a publicly held company selling a closed-source product, would they even bother to notify those who'd downlaoded the trojane
Backdoor.... (Score:4, Insightful)
Shhhh (Score:3, Informative)
Re:Backdoor.... (Score:3, Informative)
Perhaps I'm being over-literal; "proof" is a very, very high standard which almost nothing ever lives up to. Even if the code doesn't contain obviously:
if(password == guess || guess == "b4ckd00r")) {
there are a million ways for a clever programmer to insinuate a back door that would survive substantial scrutiny.
You don't need me to rehash the various security advantages of closed vs. open source; th
Re:Backdoor.... (Score:2, Insightful)
Oh come on, that's an argument you would expect from a 3 year old ("but he hit me, too, mommy, I swear"), even if there were proof (is there?) that Microsoft software contained backdoors, that _can not_ be the constant to measure Open Source.
Stop letting Microsoft dictate what's ok and what's not!
And cut that "M$" crap, I'm sure someone can point you to the corresponding PA-strip.
Re:Backdoor.... (Score:3, Informative)
Considering the fact that most software at MS gets audited internally by completely seperated teams, and a lot of software gets addition audits by a third partys (MS is one of @Stakes customers), I would conclude that it is at least as unlikely that a backdoor exist in MS software as it would most any OSS project.
Additionally, as already mentioned, many backdoors are carefully hidden, therefore limiting the potential benefit of having lots of people casually
Re:Backdoor.... (Score:3, Informative)
PostNuke (Score:3, Interesting)
Re:PostNuke (Score:2, Informative)
Re:PostNuke (Score:5, Insightful)
-
PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.
Those of us without a need for Content Mangament Systems certainly aren't hiding under any rocks. To give a real-life example I'm sure most people here would have no clue what the program Smartr is for, simply because they have no need to do bus routing. Does that mean they were hiding under a rock oblivious to the world?Re:PostNuke (Score:2)
Re:PostNuke (Score:3, Insightful)
Re:PostNuke (Score:2)
Re:PostNuke (Score:2)
As for PHP, the more I use it the more I like Perl.
Re:PostNuke (Score:2)
I'd rank PHP about the same as old-style ASP. ASP certainly has some advantages over PHP, like ActiveX, Active Script, and (oddly enough for a Microsoft Product) API stability. And, the build process for PHP always made me seriously question the PHP developer's abilities.
But, I'll grant that open source and wide adoption does have advantages. For a site like yahoo with "smart coders" doing the difficult lifting in a real language while the
Re:PostNuke (Score:2, Informative)
Re:PostNuke (Score:2, Interesting)
The Nuke variants are all designed to be highly modular portalware, but in my opinion, the modules and indeed some of the core components vary widely in programming quality.
But this is a huge, diverse software package and it has plenty of lines of code to represent both the best and worst of open source.
Re:PostNuke (Score:2)
On of the very first things we did was to redirect those horrible navigation urls. That alone was key in allowing to google spider the site better. (Redirection doubled our google traffic... so get rid of those horrible argument-based urls!)
php-nuke, post-nuke, and similiar systems will get a lot of bad rap here. I never understand that. They
Buzzword Report! (Score:3, Funny)
All I'm asking is can I get a Beowulf cluster of dat.
Friend or Foe (Score:5, Insightful)
Re:Friend or Foe (Score:5, Funny)
Must... resist... goatse... troll...
Wait wait... (Score:5, Interesting)
From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).
- Sadiq
http://www.syswear.com/ [syswear.com] - Geek t-shirts
Re:Wait wait... (Score:2, Interesting)
It has nothing whatsoever to do with proprietary Vs open source, and the addition of that incendiary flamebait in the submission was completely unnecessary trolling. Amazing how the majority of the comments thus far have been knee-jerk reactions with the chorus of the converted fervently preaching to their pewmates.
Proprietary No Better (Score:3, Insightful)
Wasn't there a company recently that basically had anonymous FTP access to its corporate servers for over a year? I think it might have been Diebold, a security company. Anyway, security is becoming a pissing match between OSS and proprietary software. All software more than two lines of code has security holes. All software has flaws, be it OSS or proprietary. Why is it such a big deal when one type of software has an issue such as this? The only real issue is when a piece of software or a company has a history of producing software with crappy security. Even then, it does not mean their choice of OSS v. proprietary is bad or wrong, just that they suck at security. E.g. Microsoft has a good process, but their products suck at security. BIND is a perfect OSS example of crappy security. Does that make one process better? No, I do not think so.
Not necessarily (Score:2)
Proprietary CMSes (Score:4, Insightful)
And while that's not so bad, customers often don't understand its security mechanisms so they leave lots of folders writable as well.
Pretty embarrassing for $25K per CPU...
Give us a name (Score:2)
Here is a name... (Score:3, Insightful)
Who else but Microsoft could get a PHB to fork over 25 large for a CMS that is no more capable than some of the free ones out there? Also, the phrases "World Readable" and "Word Writable by default" smell of old Microsoftware.
Article submitter: -1, troll (Score:4, Insightful)
And before you bother with the standard joke, no, I'm not new here
Re:Article submitter: -1, troll (Score:3, Insightful)
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Re:Article submitter: -1, troll (Score:2)
Ah, but Slashdot's double standards are Open Source!
Re:Article submitter: -1, troll (Score:5, Funny)
These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.
At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.
Re:Article submitter: -1, troll (Score:2)
CIS people are managers who generally learn everything they know about computers from Microsoft-sponsored developer meetings. It's an incestuous little relationship, much like the one between doctors and drug companies. It's not healthy for anyone but Microsoft, believe me.
Regardless, you should have taken one of the "writing secure code" books. Microsoft does employ some very smart people, and the Micro
nice of you to label yourself (Score:3, Insightful)
Yeah, those people calling free software a "cancer", unAmerican, and free software users "thieves". The people who put up Steve Barkto [essential.org] and continue their efforts with people like you. [wikipedia.org] They are constantly going on about "fairness", "balance" and all that while themselves post the [slashdot.org]
Re:nice of you to label yourself (Score:2)
Those people making all those ridiculous claims about free software being a cancer and unamerican... have a motive to do so, and it's not zealotry. Surprise, surprise, it's PROFIT. SCO doesn't badmouth linux because they are zealots, they badmouth it to make money. MS doesn't spread FUD because they believe their product is the path to shangri-la, they do it beca
Proprietary 'enthusiasts' (Score:2)
I'm a member of a Macromedia User Group and some of the people in it are pretty keen on their stuff. I think it's because of the cool stuff you can do with Macromedia software like video and dynamic data handling in Flash. Apple users are pretty keen too.
I dislike the term 'zealot' though. I would say 'enthusiast.' The term 'zealot' is just a blatent piece of invective designed to denounce someone, like a recent Fox News article that refered
Re:Proprietary 'enthusiasts' (Score:2)
There's a big difference between being a Macromedia zealot and being a proprietary software zealot. Lots of people Like linux because it's linux. Lots of people also like linux primarily because it's open source. I'm guessing not many people like Macromedia specifically because it's proprietary.
Re:Article submitter: -1, troll (Score:2)
Raise the bar. (Score:3, Insightful)
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with exploits, virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Re:Raise the bar. (Score:2)
Oh, ay. And you try and tell the young people of today that, and they won't believe you!
Your argument fails itself (Mod Parent "WTF?") (Score:2)
In the next breath you decry VBScript access by poor programmers.
Then you finally propose limiting access to compilers using price or whatever.
This is not logically junct. The whole first-premise of foura-access having been subject to control by having an effective "entrance exam" of getting the code and compiling it, does nothing to support your later position that
Re:Raise the bar. (Score:2, Interesting)
what crack are you smoking? i dont remember ever compiling a damn thing in order to log into IRC via a vax terminal. I'm sure someone did somewhere, but it surely was not me. *cough, vax terminal* And yes this was pre web.
Yes, if only the internet was still just for elitest techies, with only 100 "qualified" programmers, then we would really have something.
This is a really stupid
Re:Raise the bar. (Score:3, Funny)
Re:Raise the bar. (Score:2)
-- Dr. Spock, stardate 2822.3.
Don't you mean Yoda?
If this is a joke I don't get, I apologize for my stupidity.
Yeah, me too. Considering Dr. Spock was a child development psychologist who wrote some books back in the 1960s (?). He had nothing to do with Stardates. That would be Mr. Spock, who was not a Dr.
The nature of Open Source (Score:2, Interesting)
No software really 100% secure. They may always have some bugs or vulnerabilities. The cool thing about Open Source is that these vulnerabilities are quickly identified and patched, simply because the information is not proprietary. Compared this to Microsoft where some person finds an exploit, or when suddenly computers start getting slammed by a new virus that exploits a new vulnerability. In this
Automated PGP checks! (Score:4, Insightful)
Even better would be if GNU tar supported such signatures automatically. For example if file extension was "tar.pgp", it could force checking the signature, and if it wasn't found or it was invalid, it wouldn't do anything. That way I wouldn't ever have to think about verifying it - I could see from the file name that it should be valid (of course, getting the trusted pgp keys might require more work..). Oh, and of course the .tar.pgp would be backwards compatible with standard tar, they would just contain some extra "checksum.pgp" file or something.
Re:Automated PGP checks! (Score:3, Insightful)
Every single popular software author should make sure they PGP sign their packages AND verify it automatically at least once a day. I've began doing this for my projects since irssi was backdoored a few years ago. A few different computers download and check the signature of the latest release every single day, and email me if anything went wrong.
Also, you can use GNU Arch [gnu.org], with signed archives. Then, every time you do a commit, your changeset will be signed and every time anyone checks out a copy of th
Downloadable Software (Score:4, Insightful)
Why the packages weren't signed? (Score:5, Insightful)
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
Re:Why the packages weren't signed? (Score:5, Insightful)
Anyway, signatures don't solve the problem if the build system is hacked, because it's the trojaned code that gets signed.
Re:Why the packages weren't signed? (Score:2)
My point is that those packagers sign builds, binary packages. I am sugesting a standard way to sign sources, indepently from distribution and package system.
Today you can find the same program signed by diferent people, samba is signed in the RPM form by red hat, madrake, conectiva and probably
Re:Why the packages weren't signed? (Score:2)
Error in the artikle? (Score:2)
That's new to me, what I've read has always been the other way around, we have to worry about backdoors in closed source stuff, and that's by design!
paFileDB isn't Free Software (Score:2, Informative)
Content Management Systems (Score:3, Informative)
Re:Content Management Systems (Score:3, Interesting)
Xaraya [xaraya.com] is a fork of PostNuke, written by the people who forked PostNuke from PHPNuke (and who left the project en masse in August 2002, including myself).
Xaraya shares no code and little architecture with any CMS in the nuke family... it is somewhere between CMS and application framework.
"Proprietary software zealots"??? (Score:2)
Is it just me (Score:2)
Nothing to see here... (Score:3, Informative)
I remember several SQL injection exploits for PHPNuke that seemed to be widely deployed in the script kiddie community. I am not sure if the underlying reason these packages are so vulnerable is pure sloppy programming (which seems to be present in a fair number of random PHP scripts out there - I won't comment on PostNuke in particular since I don't know it), the fact that they try to do so much functionality-wise leading to a lot of under-tested, under-reviewed code, or that they tend to be modular in nature, with lots of third party developers writing modules that end up getting widely deployed by users of the CMS, and thus being of more variable quality than you would expect if every checking was reviewed at least somewhat centrally by the core developers.
So in short, it's more likely a function of there being a lot of crappy code with obvious exploits in it AND that code being Open Source, however you explain that crappy code being there in the first place.
Re:Nothing to see here... (Score:2)
So basically, you didn't read the article.
Re:Nothing to see here... (Score:2)
Looking at the paFileDb site, it is now clear that it's a standalone program and not a plugin at all. And in fact now that I've looked at the paFireDb web page it doesn't even look like it's Open Source either. The Newsforge article is much clearer about this than the announcement itself was, but I admit I didn't read that (usuall
Re:Nothing to see here... (Score:3, Informative)
PHP-Nuke is developed by one person who (in my opinion) has very werid ideas of open source and how things should be done. He's basically a one man team and doesn't want anyone else touching his baby. They consistantly find new bugs in PHPNuke's core modules.
PostNuke on the other hand is developed by a team of good, knowledgeable people. There have been very few exploits for the PostNuke core modules.
Of course, both these CM
Not what Lipner meant when he said "Trapdoor" (Score:4, Insightful)
Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.
Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.
Quick reaction (Score:2)
This security flaw was discovered in three days, unlike the security hole [bbc.co.uk] found in Microsoft Passport last year. From the article...
Levels of incompetence (Score:4, Funny)
A site is responsible for distributing an application based on a platform that's been a script kiddie playground for years now.
The site gets its source code respositories compromised.
The site's maintainers apparently don't verify any MD5 checksums on a regular basis.
The general public knownigly downloads said compromised source code without verifying any MD5 checksums either.
Boy oh boy. I thought Windows "experts" were clueless.
Postnuke caused me a credibility problem (Score:2)
Because of the editorial content that I did there - the accused used the crashing forums [and subsequent deletions of content] as a way to question my credibility as a source of reliable information.
It was also next to impossible to find content within the substrings of data - if you wanted to rebuild the crashed data.
Does anyone have a preference... (Score:2, Interesting)
Re:Does anyone have a preference... (Score:2)
Slash's main advantage is its security. There may be security bugs in Slash, but the last one we found in a major release was over two years ago. Of course the last major release we had was three years ago, so maybe that's not saying much. Seriously, we're good about security: we know where the pitfalls are and we write code with a careful eye for them.
Slash's second advantage is speed (we cache aggressively, write .shtml files, a
PHP is a waste of time. Use Plone/Zope/Python. (Score:2)
Plone runs on top of the Zope application server. Zope is quite secure, and it scales up reliably to manage huge web sites, like The Boston Globe [boston.com].
-Don
nuke has dozens of exploits (Score:5, Interesting)
I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.
I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.
Re:nuke has dozens of exploits (Score:2)
Re:nuke has dozens of exploits (Score:2)
Re:nuke has dozens of exploits (Score:2)
Drupal [drupal.org]
Plone [plone.org]
or Xaraya [xaraya.org]
check out freshmeat.net (Score:2)
There are plenty of alternatives. A quick search at freshmeat.net for CMS [freshmeat.net] reveals many when sorted by popularity. I'm still using nuke because I have too much content invested in the architecture to easily switch now. But Plone [plone.org] looks good to me. I suppose it mostly depends on what a publisher is looking for in features. I was originally attracted to phpNuke because of all the modules and huge development community. Now I've found that it's the modules that provide most of the security vulnerabilities, so I
Re:nuke has dozens of exploits (Score:2)
Geeklog [geeklog.net]
What's more, Geeklog makes security a priority. [geeklog.net]
Re:nuke has dozens of exploits (Score:3, Interesting)
I personally hate most CMS, because they're almost always created in the same pattern: design small CMS to post news article
Typical (Score:2, Funny)
PostNuke is the Easy Bake-Oven of CMS's (Score:2)
It's well known to be riddled full of security holes, it's horrible to maintain or extend, it looks and feels unprofessional, and it falls apart under pressure.
Kids, if you want a real content management system like grown-ups use, you should download Plone [plone.org]. It's high quality free open source software, it works great right out of the box, it's secure, and it cooks a lot better t
"Open Source" is a lisence, not a brand. (Score:3)
This particular software may not be extremely well written. It just so happens the authors decided to GPL it, making it Open Source. Just sticking a lisence on the software and revealing the source code doesn't magically make it good or bad.
There are plenty of bad programs released under the GPL, just like there are plenty of bad closed-source products out there.
PostNuke is _not_ PHPNuke (Score:3, Informative)
patches? (Score:2)
Re:A list of websites? (Score:2)
Yes... so we can avoid them...;)
So we can avoid them (Score:2)
Yes, so we can avoid them. There is nothing funny about that. The point is that all of them should be immediately shut down until the backdoors are closed and the issues are resolved.
Do you really think that it was an amateur script kiddie job? Do y