[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] insecurity



Hiya,

None of the argumentation below is a reason *not* to put educational modules in PostNuke (though, assuming the information is current, it *is* a reason for the designers of PostNuke to improve security).

-- Stephen

Michael Shigorin wrote:
On Wed, Sep 21, 2005 at 06:37:37AM -0400, William Fragakis wrote:
  
If there are any PostNuke (CMS) users out there, we have added
a number of educational modules to our installation plus a
number of good core PostNuke modules.
    

NOOOOOOOOOOOOOOOOO

Don't invest your time in that... even if it's behind a perimeter
firewall, there'll always be at least a single kind soul to read
bugtraq@ faster than you, even if lazy enough to dig up the code
to discover some new breaches in it.

PostNuke has better security record than PHPNuke, but that's it.
We had to explicitly ban *Nuke and phpbb2 from our free software
hosting by a rule due to way too much problems with not patching
those fast enough.

Sorry to say that but better informed than caught fire.

We've migrated linux.kiev.ua from PHPNuke to TYPO3 not only 
searching for something more like a platform to build upon -- 
in fact Nuke was frozen (database access downgraded to r/o,
SELECTs that is) due to another successful attack on it while
we were already evaluating the options in background but had 
to jump out of that quicker than was intended.

It was last year's summer; this year, we've had to bring
openoffice.org.ua down (PostNuke site moved to our hosting)
due to exactly the same reason.

Folks, please -- check the scripts you decide to use as the
platform at securityfocus.com, packetstormsecurity.nl,
generally google up "$name security problem".

It pays.

  


-- 
Stephen Downes  ~  Research Officer  ~  National Research Council Canada
http://www.downes.ca  ~  stephen@xxxxxxxxx         __\|/__ Free Learning