[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] insecurity

PreScriptum for a bit overly long message:

- no offense intended both here and with "NOOO";
- functionality before security is quite risky approach;
- CMF choice is much more responsible than CMS choice.

Thanks everyone who followed up, and sorry if I seem/am harsh.

On Wed, Sep 21, 2005 at 05:16:34PM -0300, Stephen Downes wrote:
> None of the argumentation below is a reason *not* to put educational 
> modules in PostNuke (though, assuming the information is current, it 
> *is* a reason for the designers of PostNuke to improve security).

I've noted the difference between both Post/PHP nukes and
Internet/intranet (happen to know these a bit for several years).

When one's encouraging people to use raw SELECTs, one's _not_
anymore in position to improve security by doing virtually
anything to infrastructure.  It is about APIs which are so much
more convenient that folks don't do homegrown database work
without any sanity checks (or with insufficient ones).

On Wed, Sep 21, 2005 at 03:44:46PM -0600, cdmiller wrote:
> The below would be more helpful if it included reference to
> products worth adding educational modules to.

When I was at the university and hoped to have some learning
IT infrastructure deployed (we didn't really have any at chemical
faculty), I've looked at Moodle as an educational framework.

Don't recall it quite clearly, since there were many projects 
to look upon and things were busy along another direction later,
as we needed a framework for several community sites and there
was not much interest on the faculty after '2001 has graduated.

> TYPO3 solves a different set of problems than PostNuke.

Somewhat.  They both tend to be used as content management
platforms though, I know of several large-scale university
TYPO3 deployments.

BTW, runner-up in our internal "contest" was Drupal (and we
continue to monitor its development); friends use Mambo for
a bunch of projects (still we found it to be underengineered
in the area of structurizing content as well as actually
managing it).

May be worth looking at.

My point here is: when we choose a framework to build upon, it
might be worth more investigation than when choosing a mere CMS.

> The "Nukes" did have abysmal security histories in the past,
> I haven't looked at them recently.

The saga continues although the handling with PostN is way better
that the original "fixed in commercial version, I don't care"...
(also way less frequent troubles still I'm happy each time the
advisory just passes by -- no need to rush and patch; the same
with our Linux distro which is somewhat like OpenBSD -- "we've
got that rewritten properly 3 years ago")

On Wed, Sep 21, 2005 at 07:39:05PM -0400, William Fragakis wrote:
> I don't want to get into a stone throwing contest

These were not stones to throw (at least at you), this was an
alert to look at security track along with functionality.
It's quite bitter lesson to have learned after having substantial
amount of effort put into improper code :-(

> - I trust you are keeping up with Typo3's security bulletins

There were none concerning me in two years (two 3rd party
extension bugs this year -- for some 500 extensions), and there
was one minor one (corrected the same day) in ~3 preceding years
found in archives when evaluating our options.

It's used not only in universities (which can be quite an
aggressive environment, depending on policies and actual
enforcement thereof) but for some bank / defense contractors
systems too.

It's also 3rd generation of the platform by the same author, 
meaning complete rewrite based on experience gained, not
a fixed fork of student's play (again no offense, I'm quite
ashamed for my own student's days web software -- it has at least
one XSS known to me and still in production).

As the previous were commercial developments and this one was
intentionally made free (GPL, no strings attached like with eZ),
it's only worth adding that they do form developers', users' and
customers' community quite successfully (sorry for way to many
"me"s, but...  I participate in quite some free software
projects, some of them large-scale enough to see the problems
arising from improper community relations handling quite

> as I do PostNuke's.

I read Slowtraq too (er, bugtraq at securityfocus com).

> PostNuke forked off PHPNuke 4 years ago (PHPNuke was never
> truly open) and has evolved to a pretty stable base of APIs.

I do know all of this.  Actually, we recently had to shut down
another PostNuke site that got broken into -- the webmaster
didn't follow the track, and we didn't have chance to fix that
quick.  It was pnphpbb2 broken through.

> I'm sorry that you had such trouble with PHPNuke.

Thanks.  (it was another "legacy" install... and we were building
upon that, as well as using in different projects together with
the person who set it up there then)

> Any cms can have vulnerabilities - especially one with a small
> development team but large installed base.

Installed base doesn't implicate security directly, it's rather:

- a chance to have skilled webmaster who will find/fix the
  problem and share the patch;
- a chance to have paying customers (and therefore some
  arrangements, possibly including security response items).

It doesn't affect the design.  While the design largely affects
the potential for vulnerabilities.

Oh well, I might be *very* boring and off topic (as usual).

> Thank you for sharing your experiences with phpnuke.

William, please don't take that personally -- developing modules
for some platform is usually more wise than rolling yet another
one on someone's own.

Still I had to point out that even with PostNuke being way better
refined than the original, the amount of DNA breakage within the
latter seems unreparable. (it's more like answering Stephen's 
"is a reson" though)

Sorry if I've hurt someone feelings, I have none for software
but still owe my debts to developers of that used by me.

And please don't consider me pushing One True Solution, this time
I've tried to reference a bit more things we've played with.
Even if something didn't fit us then it might fit others today.

 ---- WBR, Michael Shigorin <mike@xxxxxxxxxxx>
  ------ Linux.Kiev http://www.linux.kiev.ua/
 ----       visit our conference (Oct 1):
--          http://conference.osdn.org.ua