[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] insecurity

Stephen Downes wrote:

None of the argumentation below is a reason *not* to put educational modules in PostNuke (though, assuming the information is current, it *is* a reason for the designers of PostNuke to improve security).

-- Stephen

The below would be more helpful if it included reference to products worth adding educational modules to. TYPO3 solves a different set of problems than PostNuke. The "Nukes" did have abysmal security histories in the past, I haven't looked at them recently. Lots of recent security literature indicates more exploits at the application layer, with web applications being frequently targeted.

- cameron

Michael Shigorin wrote:

On Wed, Sep 21, 2005 at 06:37:37AM -0400, William Fragakis wrote:

If there are any PostNuke (CMS) users out there, we have added
a number of educational modules to our installation plus a
number of good core PostNuke modules.


Don't invest your time in that... even if it's behind a perimeter
firewall, there'll always be at least a single kind soul to read
bugtraq@ faster than you, even if lazy enough to dig up the code
to discover some new breaches in it.

PostNuke has better security record than PHPNuke, but that's it.
We had to explicitly ban *Nuke and phpbb2 from our free software
hosting by a rule due to way too much problems with not patching
those fast enough.

Sorry to say that but better informed than caught fire.

We've migrated linux.kiev.ua from PHPNuke to TYPO3 not only searching for something more like a platform to build upon -- in fact Nuke was frozen (database access downgraded to r/o,
SELECTs that is) due to another successful attack on it while
we were already evaluating the options in background but had to jump out of that quicker than was intended.

It was last year's summer; this year, we've had to bring
openoffice.org.ua down (PostNuke site moved to our hosting)
due to exactly the same reason.

Folks, please -- check the scripts you decide to use as the
platform at securityfocus.com, packetstormsecurity.nl,
generally google up "$name security problem".

It pays.

Stephen Downes  ~  Research Officer  ~  National Research Council Canada
http://www.downes.ca  ~  stephen@xxxxxxxxx         __\|/__ Free Learning