Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

PostNuke Open Source CMS Attacked 300

ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."
This discussion has been archived. No new comments can be posted.

PostNuke Open Source CMS Attacked

Comments Filter:
  • by antifoidulus ( 807088 ) on Tuesday October 26, 2004 @01:01PM (#10632839) Homepage Journal
    this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?
  • and closed source? (Score:5, Insightful)

    by parawing742 ( 646604 ) on Tuesday October 26, 2004 @01:01PM (#10632846) Homepage
    and how can we be sure that closed source software doesn't contain backdoors? open the source!
    • by reading EULA carefully, perhaps? :-)
    • by tgma ( 584406 ) on Tuesday October 26, 2004 @01:11PM (#10632972)
      Exactly - isn't the point that with an open source project, with a team of developers and users, this backdoor was identified within a couple of days? Whereas with a closed source project, the problem could have gone unnoticed for some time.

      Or worse, it could have been noticed, and left unmentioneded, in the hope that no one would notice, and it would go away by itself. You don't hear about open source projects using the DMCA to get whisteblowers to shut up, do you?
      • by acidblood ( 247709 ) <decio.decpp@net> on Tuesday October 26, 2004 @01:39PM (#10633263) Homepage
        Actually, we have an example where a backdoor on a closed source software went unnoticed for a long time. It was only found when, ironically, the software was open-sourced. Story here [slashdot.org].
      • by l3v1 ( 787564 )
        [...]with a team of developers and users, this backdoor was identified within a couple of days[...]

        It's not the fast identification that's the most important, it's the fast solution that is, and no company with closed sources can do that faster and better than the OSC (i.e. open source commnunity).

      • You don't hear about open source projects using the DMCA to get whisteblowers to shut up, do you?

        Well no. But the open source crowd claim to be better and more efficient at many things. Perhaps they are better at dealing the whistlebowers as well. Perhaps, with a little bit of investi$%@#+++carrier lost

      • and how can we be sure that closed source software doesn't contain backdoors? open the source!

      We don't, and to make it worse we likely wouldn't find out about an attack like this directly from the company involved. Companies are notoriously wary of even reporting breakins to the FBI because it would look bad to their shareholders. Given that, if the same scenario happenned with a publicly held company selling a closed-source product, would they even bother to notify those who'd downlaoded the trojane

  • Backdoor.... (Score:4, Insightful)

    by commo1 ( 709770 ) on Tuesday October 26, 2004 @01:03PM (#10632867)
    And M$ software does not contain any backdoors? If M$ and the (rest) of the proprietary/closed-source/hood-welded-shut consortium is going ot make accusations of this nature, they should be able to back up their stance with, at the very least, an opposite and proveable condition in their own software.
    • Shhhh (Score:3, Informative)

      by temojen ( 678985 )
      NSA_KEY
    • Re:Backdoor.... (Score:3, Informative)

      by jfengel ( 409917 )
      Provable? Really? When was the last time you saw any product proven secure, even with the source?

      Perhaps I'm being over-literal; "proof" is a very, very high standard which almost nothing ever lives up to. Even if the code doesn't contain obviously:

      if(password == guess || guess == "b4ckd00r")) { ... }

      there are a million ways for a clever programmer to insinuate a back door that would survive substantial scrutiny.

      You don't need me to rehash the various security advantages of closed vs. open source; th
    • Re:Backdoor.... (Score:2, Insightful)

      by MadMirko ( 231667 )
      And M$ software does not contain any backdoors?

      Oh come on, that's an argument you would expect from a 3 year old ("but he hit me, too, mommy, I swear"), even if there were proof (is there?) that Microsoft software contained backdoors, that _can not_ be the constant to measure Open Source.

      Stop letting Microsoft dictate what's ok and what's not!

      And cut that "M$" crap, I'm sure someone can point you to the corresponding PA-strip.
    • Re:Backdoor.... (Score:3, Informative)

      by tshak ( 173364 )
      And M$ software does not contain any backdoors?

      Considering the fact that most software at MS gets audited internally by completely seperated teams, and a lot of software gets addition audits by a third partys (MS is one of @Stakes customers), I would conclude that it is at least as unlikely that a backdoor exist in MS software as it would most any OSS project.

      Additionally, as already mentioned, many backdoors are carefully hidden, therefore limiting the potential benefit of having lots of people casually
    • Re:Backdoor.... (Score:3, Informative)

      by d_jedi ( 773213 )
      Considering Microsoft opens it's source to numerous governments, Nato, etc. I highly doubt it contains any backdoors.
  • PostNuke (Score:3, Interesting)

    by fiannaFailMan ( 702447 ) on Tuesday October 26, 2004 @01:04PM (#10632876) Journal
    They have a very attractive website but this is the first I have ever heard of them, and try as I might I hunted high and low for a short, snappy answer to the questions of who are these people and what do they do? A link saying "about us" or a short paragraph explaining what they do would be a help. If I spent a bit more time there and trawled through the many articles I may have eventually figured it out, but my frustration threshold had already been passed and I had moved along.
    • Re:PostNuke (Score:2, Informative)

      PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.
      • Re:PostNuke (Score:5, Insightful)

        by Maestro4k ( 707634 ) on Tuesday October 26, 2004 @01:21PM (#10633081) Journal
        • PostNuke is one of the most common content management systems out there. Not to flame or anything, but if you've never heard of them the rock must have been very comfortable to be under.
        Those of us without a need for Content Mangament Systems certainly aren't hiding under any rocks. To give a real-life example I'm sure most people here would have no clue what the program Smartr is for, simply because they have no need to do bus routing. Does that mean they were hiding under a rock oblivious to the world?
        • Depends if the title says "Smartr bus routing program". CMS was right in the title of the story, and isn't a strange acronym.
    • PostNuke is a popular fork of the more famous CMS, PHP-Nuke.

    • Re:PostNuke (Score:2, Informative)

      by pogofish ( 514289 )
      good god, it took forever to find what they're about. Who invented their navigation scheme, Rube Goldberg? Their about page is http://docs.postnuke.com/index.php?module=Static_D ocs&func=view&f=/aboutpn/whatispn.htm [postnuke.com]
      • Re:PostNuke (Score:2, Interesting)

        by jaysmall ( 547773 )
        Those URL arguments are, as I remember, mostly carryovers from PHP-Nuke.

        The Nuke variants are all designed to be highly modular portalware, but in my opinion, the modules and indeed some of the core components vary widely in programming quality.

        But this is a huge, diverse software package and it has plenty of lines of code to represent both the best and worst of open source.
      • At tech-recipes.com [tech-recipes.com] we have customized a version of php-nuke. Like most large systems like this, we have found a ton of security problems and navigation issues.

        On of the very first things we did was to redirect those horrible navigation urls. That alone was key in allowing to google spider the site better. (Redirection doubled our google traffic... so get rid of those horrible argument-based urls!)

        php-nuke, post-nuke, and similiar systems will get a lot of bad rap here. I never understand that. They
  • by OccidentalSlashy ( 809265 ) on Tuesday October 26, 2004 @01:05PM (#10632881)
    Developers free software content management system PostNuke security announcement vulnerability download management software attacker hacked PostNuke download. Version PostNuke download site Sunday GMT Tuesday GMT. Proprietary software zealots open source contain backdoors.

    All I'm asking is can I get a Beowulf cluster of dat.
  • Friend or Foe (Score:5, Insightful)

    by jbrelie ( 322599 ) on Tuesday October 26, 2004 @01:05PM (#10632887)
    I prefer the backdoors that I can see and deal with to the ones I cannot.
  • Wait wait... (Score:5, Interesting)

    by SysWear ( 825532 ) on Tuesday October 26, 2004 @01:06PM (#10632893)
    How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?

    From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).

    ...?

    - Sadiq
    http://www.syswear.com/ [syswear.com] - Geek t-shirts
    • Re:Wait wait... (Score:2, Interesting)

      by ergo98 ( 9391 )
      How can this be to do with proprietry software and open source...

      It has nothing whatsoever to do with proprietary Vs open source, and the addition of that incendiary flamebait in the submission was completely unnecessary trolling. Amazing how the majority of the comments thus far have been knee-jerk reactions with the chorus of the converted fervently preaching to their pewmates.
  • by The Snowman ( 116231 ) * on Tuesday October 26, 2004 @01:07PM (#10632905)

    Wasn't there a company recently that basically had anonymous FTP access to its corporate servers for over a year? I think it might have been Diebold, a security company. Anyway, security is becoming a pissing match between OSS and proprietary software. All software more than two lines of code has security holes. All software has flaws, be it OSS or proprietary. Why is it such a big deal when one type of software has an issue such as this? The only real issue is when a piece of software or a company has a history of producing software with crappy security. Even then, it does not mean their choice of OSS v. proprietary is bad or wrong, just that they suck at security. E.g. Microsoft has a good process, but their products suck at security. BIND is a perfect OSS example of crappy security. Does that make one process better? No, I do not think so.

  • Proprietary CMSes (Score:4, Insightful)

    by cerberusss ( 660701 ) on Tuesday October 26, 2004 @01:08PM (#10632919) Journal
    I know a certain proprietary portal/CMS that's often installed along with the rest of the middleware that customers get. I've never encountered an installation where the back end of the portal (where the items reside without any markup) wasn't world readable.

    And while that's not so bad, customers often don't understand its security mechanisms so they leave lots of folders writable as well.

    Pretty embarrassing for $25K per CPU...

  • by MustardMan ( 52102 ) on Tuesday October 26, 2004 @01:08PM (#10632927)
    Proprietary software zealots? Huh? I've seen plenty of open source zealots, where zealot is defined (dictionary.com) as "A fanatically committed person." I've never seen anyone be fanatic about proprietary software. I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks. Not that I'm saying it's bad to be an OSS zealot, but like so many things on slashdot, the person who submitted the article is mis-using a buzzword. How can a community that gets so pissed off about people putting i- and e- in front of things, be so accepting of cultivating our own pile of buzzwords and overusing them.

    And before you bother with the standard joke, no, I'm not new here
    • You must be new here.

      Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
    • by zapp ( 201236 ) on Tuesday October 26, 2004 @01:25PM (#10633118)
      You must have never gone to a .NET developer meeting. A few people in the CIS dept (the business side of IT, not the engineering folk) had such a club going, which I attended a few times for the free food, tshirts, copy of WinXP, copy of Dev Studio, etc.

      These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.

      At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.
      • At one point I won a door prize of my pick between several "writing secure code" books by MS Press.

        CIS people are managers who generally learn everything they know about computers from Microsoft-sponsored developer meetings. It's an incestuous little relationship, much like the one between doctors and drug companies. It's not healthy for anyone but Microsoft, believe me.

        Regardless, you should have taken one of the "writing secure code" books. Microsoft does employ some very smart people, and the Micro
    • Proprietary software zealots? Huh? ... I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks.

      Yeah, those people calling free software a "cancer", unAmerican, and free software users "thieves". The people who put up Steve Barkto [essential.org] and continue their efforts with people like you. [wikipedia.org] They are constantly going on about "fairness", "balance" and all that while themselves post the [slashdot.org]

      • At the risk of getting myself a YHBT reply, I will put some of my thoughts in a reply to this post, as several others have said similar things.

        Those people making all those ridiculous claims about free software being a cancer and unamerican... have a motive to do so, and it's not zealotry. Surprise, surprise, it's PROFIT. SCO doesn't badmouth linux because they are zealots, they badmouth it to make money. MS doesn't spread FUD because they believe their product is the path to shangri-la, they do it beca
    • I've never seen anyone be fanatic about proprietary software.

      I'm a member of a Macromedia User Group and some of the people in it are pretty keen on their stuff. I think it's because of the cool stuff you can do with Macromedia software like video and dynamic data handling in Flash. Apple users are pretty keen too.

      I dislike the term 'zealot' though. I would say 'enthusiast.' The term 'zealot' is just a blatent piece of invective designed to denounce someone, like a recent Fox News article that refered

      • I'm a member of a Macromedia User Group and some of the people in it are pretty keen on their stuff

        There's a big difference between being a Macromedia zealot and being a proprietary software zealot. Lots of people Like linux because it's linux. Lots of people also like linux primarily because it's open source. I'm guessing not many people like Macromedia specifically because it's proprietary.
  • Raise the bar. (Score:3, Insightful)

    by Sheetrock ( 152993 ) on Tuesday October 26, 2004 @01:09PM (#10632935) Homepage Journal
    I've been around the Internet for a long time -- since the early 90s in fact -- and am thus quite aware of the ruinous activities it has been subjected to by the typical user since then. You know, things like people popping into a random USENET group and treating it like a tech support line, or in the larger picture basically assuming the entire network is there to serve as some form of entertainment.

    When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.

    It's a short hop to realizing that the problems we're experiencing with exploits, virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.

    Many experts believe should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.

    It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?

    • Right! I had to get up in the morning, at ten o'clock at night, 'alf an hour before I went to bed, eat a lump of cold poison, work twenty-nine hours a day down mill and pay mill-owner for permission to come to work, and when we got 'ome, our dad would kill us and dance about on our graves, singing Hallelujah!

      Oh, ay. And you try and tell the young people of today that, and they won't believe you!

    • In one breath you say that the internet was better when people had to know how to use makefiles (programming tools) to gain access to foura.

      In the next breath you decry VBScript access by poor programmers.

      Then you finally propose limiting access to compilers using price or whatever.

      This is not logically junct. The whole first-premise of foura-access having been subject to control by having an effective "entrance exam" of getting the code and compiling it, does nothing to support your later position that
    • Re:Raise the bar. (Score:2, Interesting)

      by bigNuns ( 18804 )
      "...and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client."

      what crack are you smoking? i dont remember ever compiling a damn thing in order to log into IRC via a vax terminal. I'm sure someone did somewhere, but it surely was not me. *cough, vax terminal* And yes this was pre web.

      Yes, if only the internet was still just for elitest techies, with only 100 "qualified" programmers, then we would really have something.

      This is a really stupid
    • Plagarized, I have been! :-) Who is this 'Dr. Spock?' Know him, I do not...:-)
  • The beauty is that now that the vulnerability is known, there are already people out there working to fix it.

    No software really 100% secure. They may always have some bugs or vulnerabilities. The cool thing about Open Source is that these vulnerabilities are quickly identified and patched, simply because the information is not proprietary. Compared this to Microsoft where some person finds an exploit, or when suddenly computers start getting slammed by a new virus that exploits a new vulnerability. In this
  • by cras ( 91254 ) on Tuesday October 26, 2004 @01:11PM (#10632974) Homepage
    Every single popular software author should make sure they PGP sign their packages AND verify it automatically at least once a day. I've began doing this for my projects since irssi was backdoored a few years ago. A few different computers download and check the signature of the latest release every single day, and email me if anything went wrong.

    Even better would be if GNU tar supported such signatures automatically. For example if file extension was "tar.pgp", it could force checking the signature, and if it wasn't found or it was invalid, it wouldn't do anything. That way I wouldn't ever have to think about verifying it - I could see from the file name that it should be valid (of course, getting the trusted pgp keys might require more work..). Oh, and of course the .tar.pgp would be backwards compatible with standard tar, they would just contain some extra "checksum.pgp" file or something.

    • Every single popular software author should make sure they PGP sign their packages AND verify it automatically at least once a day. I've began doing this for my projects since irssi was backdoored a few years ago. A few different computers download and check the signature of the latest release every single day, and email me if anything went wrong.

      Also, you can use GNU Arch [gnu.org], with signed archives. Then, every time you do a commit, your changeset will be signed and every time anyone checks out a copy of th

  • by TrueJim ( 107565 ) on Tuesday October 26, 2004 @01:13PM (#10632997) Homepage
    Wouldn't -any- form of downloadable software be vulnerable to this? It seems to me the issue here isn't that the software is open source so much as that the software is downloadable. Proprietary versions of a product can also be hacked. It's just that distributing the software via shinkwrap (mostly) prevents hackers from inserting a hack into the product, not the fact that the software is proprietary. It's true that open source products tend to be downloadable more often than proprietary products, but it's not their "open sourciness" that makes them vulnerable to this particular problem, just their downloadableness.
  • by bogado ( 25959 ) <bogado.bogado@net> on Tuesday October 26, 2004 @01:16PM (#10633032) Homepage Journal
    This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.

    you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).

    Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.

    • by Stinking Pig ( 45860 ) on Tuesday October 26, 2004 @01:35PM (#10633222) Homepage
      you mean like rpm or deb do?

      Anyway, signatures don't solve the problem if the build system is hacked, because it's the trojaned code that gets signed.
      • Well I especifically mentioned those :

        Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.

        My point is that those packagers sign builds, binary packages. I am sugesting a standard way to sign sources, indepently from distribution and package system.

        Today you can find the same program signed by diferent people, samba is signed in the RPM form by red hat, madrake, conectiva and probably

  • Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?

    That's new to me, what I've read has always been the other way around, we have to worry about backdoors in closed source stuff, and that's by design!

  • by Anonymous Coward
    The vulnerability in this case was in the non-free download utility. Woops.
  • by echocharlie ( 715022 ) on Tuesday October 26, 2004 @01:22PM (#10633092) Homepage
    PostNuke [postnuke.com] was a fork of PHP-Nuke [phpnuke.org], which itself was a poor system to develop and maintain. It doesn't surprise me that this has happened to PostNuke despite their efforts to secure the system. I'm glad they discovered this relatively quickly though.

    • Xaraya [xaraya.com] is a fork of PostNuke, written by the people who forked PostNuke from PHPNuke (and who left the project en masse in August 2002, including myself).

      Xaraya shares no code and little architecture with any CMS in the nuke family... it is somewhere between CMS and application framework.

  • Wouldn't that be... the whole world, mostly?
  • Or does there seem to be a lot of sites with PHP implementations having security issues? I know that it's not the fault of the tool as much as the fault of the mechanic. But sheesh. To me it seems as if PHP is on par with Visual Basic in being a springboard for insecure code.
  • by Fnkmaster ( 89084 ) * on Tuesday October 26, 2004 @01:29PM (#10633156)
    These big Open Source CMS packages (PHPNuke and PostNuke in particular) seem to be extremely common targets of exploits. I don't think this is a function of being Open Source, since it specifically seems to apply to this type of software.


    I remember several SQL injection exploits for PHPNuke that seemed to be widely deployed in the script kiddie community. I am not sure if the underlying reason these packages are so vulnerable is pure sloppy programming (which seems to be present in a fair number of random PHP scripts out there - I won't comment on PostNuke in particular since I don't know it), the fact that they try to do so much functionality-wise leading to a lot of under-tested, under-reviewed code, or that they tend to be modular in nature, with lots of third party developers writing modules that end up getting widely deployed by users of the CMS, and thus being of more variable quality than you would expect if every checking was reviewed at least somewhat centrally by the core developers.


    So in short, it's more likely a function of there being a lot of crappy code with obvious exploits in it AND that code being Open Source, however you explain that crappy code being there in the first place.

    • Except that the exploit had nothing to do with exploiting PostNuke. The download manager (which is NOT PostNuke), was attacked, and the PostNuke file was switched with a modified version.

      So basically, you didn't read the article.
      • No, I did read the announcement and skimmed the linked SecurityFocus article, but I appear to have been mistaken as I inferred that paFileDb was a PostNuke plugin of some sort.

        Looking at the paFileDb site, it is now clear that it's a standalone program and not a plugin at all. And in fact now that I've looked at the paFireDb web page it doesn't even look like it's Open Source either. The Newsforge article is much clearer about this than the announcement itself was, but I admit I didn't read that (usuall

        • Postnuke is a fork of PHP-Nuke, but they hardly contain the same code anymore.

          PHP-Nuke is developed by one person who (in my opinion) has very werid ideas of open source and how things should be done. He's basically a one man team and doesn't want anyone else touching his baby. They consistantly find new bugs in PHPNuke's core modules.

          PostNuke on the other hand is developed by a team of good, knowledgeable people. There have been very few exploits for the PostNuke core modules.

          Of course, both these CM
  • by Karma Farmer ( 595141 ) on Tuesday October 26, 2004 @01:43PM (#10633311)
    Proprietary software zealots are always saying that open source programs are likely to contain backdoors [securityfocus.com], but is this situation truly what they mean when they say that?

    Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.

    Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.
  • This security flaw was discovered in three days, unlike the security hole [bbc.co.uk] found in Microsoft Passport last year. From the article...

    It is such an obvious error that it must have been noticed months, if not years, ago by people who decided that this was such a good trick they would not bother telling Microsoft.

    It is the sort of programming error that you would expect from a web developer fresh from college. And although it has now been fixed - so do not bother trying it at home - it has been there for

  • by gregarican ( 694358 ) on Tuesday October 26, 2004 @01:50PM (#10633389) Homepage
    How many levels can we progress? Lemme see:

    A site is responsible for distributing an application based on a platform that's been a script kiddie playground for years now.

    The site gets its source code respositories compromised.

    The site's maintainers apparently don't verify any MD5 checksums on a regular basis.

    The general public knownigly downloads said compromised source code without verifying any MD5 checksums either.

    Boy oh boy. I thought Windows "experts" were clueless.

  • My website in it's original form was done in PostNuke. I had a hack of a time getting the forums stable.

    Because of the editorial content that I did there - the accused used the crashing forums [and subsequent deletions of content] as a way to question my credibility as a source of reliable information.

    It was also next to impossible to find content within the substrings of data - if you wanted to rebuild the crashed data.

  • ... for a particular CMS system? PHP-Nuke, Xoops, PostNuke? Any others that may not have these exploits? Just wondering what people out there are using/have used.
    • I have a preference for Slash [slashcode.com], but then I'm kinda biased, I help write it.

      Slash's main advantage is its security. There may be security bugs in Slash, but the last one we found in a major release was over two years ago. Of course the last major release we had was three years ago, so maybe that's not saying much. Seriously, we're good about security: we know where the pitfalls are and we write code with a careful eye for them.

      Slash's second advantage is speed (we cache aggressively, write .shtml files, a

    • Plone [plone.org] is an excellent open source content management system written in Python, that's far better and more secure than anything written in PHP.

      Plone runs on top of the Zope application server. Zope is quite secure, and it scales up reliably to manage huge web sites, like The Boston Globe [boston.com].

      -Don

  • by SethJohnson ( 112166 ) on Tuesday October 26, 2004 @02:06PM (#10633610) Homepage Journal


    I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.

    I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.
  • Typical (Score:2, Funny)

    by Todd Fisher ( 680265 )
    I love how the news sites always use the term "attacker". We all know it was Doug, you know it and I know it. And thanks a lot Doug! You jerk!
  • PostNuke is the Easy-Bake Over [hasbro.com] of content management systems, that lets kids cook cute little cupcakes with a 60 watt lightbulb.

    It's well known to be riddled full of security holes, it's horrible to maintain or extend, it looks and feels unprofessional, and it falls apart under pressure.

    Kids, if you want a real content management system like grown-ups use, you should download Plone [plone.org]. It's high quality free open source software, it works great right out of the box, it's secure, and it cooks a lot better t

  • by Maul ( 83993 ) on Tuesday October 26, 2004 @02:46PM (#10634107) Journal
    OSS critics fail to realize that Open Source refers to the style of lisence that the software has. Open Source is not really a "brand" like Microsoft.

    This particular software may not be extremely well written. It just so happens the authors decided to GPL it, making it Open Source. Just sticking a lisence on the software and revealing the source code doesn't magically make it good or bad.

    There are plenty of bad programs released under the GPL, just like there are plenty of bad closed-source products out there.
  • by iammaxus ( 683241 ) on Tuesday October 26, 2004 @07:22PM (#10637190)
    PostNuke was split from the PHPNuke code a few years ago and they have gone very different ways. PostNuke is much more secure and better coded. It is also truly open source, unlike PHPNuke's pay-to-get-the-latest-version scheme.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...