[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] insecurity (was: Postnuke)

On Wed, Sep 21, 2005 at 06:37:37AM -0400, William Fragakis wrote:
> If there are any PostNuke (CMS) users out there, we have added
> a number of educational modules to our installation plus a
> number of good core PostNuke modules.


Don't invest your time in that... even if it's behind a perimeter
firewall, there'll always be at least a single kind soul to read
bugtraq@ faster than you, even if lazy enough to dig up the code
to discover some new breaches in it.

PostNuke has better security record than PHPNuke, but that's it.
We had to explicitly ban *Nuke and phpbb2 from our free software
hosting by a rule due to way too much problems with not patching
those fast enough.

Sorry to say that but better informed than caught fire.

We've migrated linux.kiev.ua from PHPNuke to TYPO3 not only 
searching for something more like a platform to build upon -- 
in fact Nuke was frozen (database access downgraded to r/o,
SELECTs that is) due to another successful attack on it while
we were already evaluating the options in background but had 
to jump out of that quicker than was intended.

It was last year's summer; this year, we've had to bring
openoffice.org.ua down (PostNuke site moved to our hosting)
due to exactly the same reason.

Folks, please -- check the scripts you decide to use as the
platform at securityfocus.com, packetstormsecurity.nl,
generally google up "$name security problem".

It pays.

 ---- WBR, Michael Shigorin <mike@xxxxxxxxxxx>
  ------ Linux.Kiev http://www.linux.kiev.ua/
 ----       visit our conference (Oct 1):
--          http://conference.osdn.org.ua