I would suggest creating a PN security forum to discuss security-related topics such as:
- Server setups
- protection against SQL injections using mod_security and others
- SElinux compatibility of PN
- security of modules which do not have an active forum
- how to improve server security
- effects of safe mode, magic quotes, register globals, etc.
- workarounds, how to make some modules work even with safe mode on
...

PostNuke has a big credibility problem when it comes to security, especially in Germany.

A subforum on this topic would maybe help to improve that situation.

Very good idea..

any specific pointers for this?

<private opinion="opinion">

server stuff is usually beyond the scope of any application forum - there are definitly better places to discuss this kind of stuff...


PostNuke works under safe_mode=on, magic_quotes_gpc=on and register_globals [32]=off - third party modules *should* also be programmed this way (personally i don't use modules that won't work under those circumstances)


the third party forums are the first place to discuss this kind of stuff - the PostNuke team is focused on the core and can't check *all* available modules.


anyway: feel free to discuss security stuff related to PostNuke within either support or general chat (or use the security contact linked in the footer)

--
regards from germany
..::[Zikula Application Framework [33]]::.. ..::[SEO-Blog [34]]::.. ..::[CMS Sicherheit [35]]::..</private>

Hello Lars



yes, pay a visit to Germany's premier forum of (too) serious Linux admins: www.rootforum.de

Just ask there about security and nuke systems (you will get at best laughed at). Or you can also do a search on PHP-nuke or nukes.

PostNuke is put into the same category as PHP-nuke, myphpnuke, etc. As soon as you say "nuke", you can forget about credibility. I think the earlier years have left very bad memories of nuke systems.

I even think a name change of PostNuke can be beneficial.
In any case, there is some serious PR work to do.



I partly agree and partly disagree on this one. The PN community has the advantage of being very hands-on, with a language accessible for all and much people eager to help, because everyone here has the same concern.

Many security forums (much more competent than the PN community) will snob any question that seems too simple, or reveals that the poster is a newbie (hint at rootforum.de). When you mention you have a nuke system installed, they will just laugh at you, hahaha no wonder you got hacked, and get as an answer "there will never ever be a nuke system installed on one of my servers, get a clue, you noob, if you install a nuke you shouldnt be allowed to own or to run a server, youre a public danger for the internet, we hate people like you". And this is a general opinion there.

I expect most questions to be somehow related to PN. For example mod_security depends on its configuration to work well, so I can imagine a PN-specific configuration or a Module-specific config for it. And there are other tools out there that need specific config.
Mods like mod_security, if well configured, can sometimes prevent the exploitation of security holes.

Now that dedicated servers have become more cheap, we also have many noobs with the priviledges and duties of "root". The snob forums will only tell that this is bad and should be forbidden, and not help with any hands-on tutorials or how-tos.
Let's face it: by being relatively easy to install, PostNuke is attractive for the newbies. They will download modules, install them, even write own scripts, deactivate safe mode and other things because otherwise their crap won't work (linux system status requires system access).

And they will get hacked.

And who will they blame, or who will their hoster blame?
"ya know, the guy had some nuke installed and then got r0xx0red 0wn3d" - "hey, no wonder" - "yeah."
It will again be PostNuke's fault.

As a sticky in the security subforum I can imagine the 10 laws for running a secure PN site, or something like that.



I agree, but you know as me that many PN modules do not fulfill all these requirements.
The community could discuss about what to change in these modules to make them secure (hey, maybe it is just a function that needs to be tweaked to get improved security?).
Or we can also discuss if a certain server configuration is necessary to get it working. For example, I run gallery in safe mode, and it works, including uploads and image manipulation. I think there would be some interest on this board for this information.



Yes, I agree with you that the PN team should not have to check third party modules.
But you know that every time someone installs PN and gets an obscure module from somewhere and gets hacked, he will probably never find out how he was hacked exactly because server logs will be gone. Suspicion will always fall on PostNuke, and that's not what we want, right?

Also, I point out again that there are plenty of PN modules with no place to discuss their security. Posts in support or third party modules will just disappear in the mass.

I think the security subforum should contain the PN security announcements as sticky, some how-tos or links to how-tos, and leave the rest to the community. This did work fine in the past in the other forums.

I partook in a discussion about renaming PostNuke. It's something that's been discussed ever since the fork from PHP-nuke. I came up with Fallout CMS. Anyhow, that discussion belongs here [47].

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com [48]


See what I do with PostNuke - http://surreal-dreams.com

I did a quick search on PostNuke in that forum, and the people there might be professionals regarding to their linux box, but the answers they give shows that they haven't any knowledge on PostNuke :?

<bad joke="joke">that's quite funny - getting blamed by a community running phpbb2
as jörg already mentioned the folks might be professionals with their linux boxes but i didn't find any valid point regarding weak PostNuke security besides typical bashing in their postings.
anyway - since i even convinced heise.de about the differences regarding security between PostNuke and *nuke (and dab needed to update his 'advisory' even twice) i already contacted 'joe user' via pm to discuss those blamings.

--
regards from germany
..::[Zikula Application Framework [59]]::.. ..::[SEO-Blog [60]]::.. ..::[CMS Sicherheit [61]]::..</bad>

lol - you saw my posts there

what you didn't see is the 20 or 30 posts that got deleted by the rootforum mod because my questions were just too basic for them...

And 'joe user' is by far not the only one with that opinion.

But I think the point is made that a place is needed to discuss PN-related security questions.

A little pot-pourri for those who can read german:

Translated by the fish:



I think it's at least 10% easier to read than German. Which I can't read at all.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com [79]


See what I do with PostNuke - http://surreal-dreams.com

That's about the level of english many germans sspeak

Comparable to AOL english, too. Still, how many Americans know that much German?

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com [90]


See what I do with PostNuke - http://surreal-dreams.com

I like that .76 shows the admin the status of Register globals. Is there any way to do the same with safe mode? And also to add a link about what to do about it... For example Register globals could be turned off by
1) asking your ISP
2) putting in an .htaccess
3) putting in a php.ini (depending on the circumstance)

Maybe also mention if Safe Mode is on or off too. If these are important I feel they should be in our face (or hack the code to turn it off) to avoid innocent/ naive mistakes.

Plus maybe add
* a link to http://secunia.com/search/?search=PostNuke for a place to see security concerns.
* a check to see if your mysql password is encrypted
* an rss feed to the PostNuke security announcements in the admin
* optional version check to notify of old PostNuke version (for people that make a site and then leave it for some time... or just have not checked back lately)
* instead of making warnings disappear when fixed, have a green check mark next to them so it is clear that these are not in question (and maybe help in support questions)

Just some thoughts from a hacked postnuker.

have a look at the last posts in the support forum about all those hacked sites and reconsider the proposal for a security / hack relief forum?

As a relatively unskilled person, having a single forum where I could regularly look for and read and learn from posts about weaknesses and patches would seem to be in the 'duh...of course' category.

Peter