I would suggest creating a PN security forum to discuss security-related topics such as:
- Server setups
- protection against SQL injections using mod_security and others
- SElinux compatibility of PN
- security of modules which do not have an active forum
- how to improve server security
- effects of safe mode, magic quotes, register globals, etc.
- workarounds, how to make some modules work even with safe mode on
...
Postnuke has a big credibility problem when it comes to security, especially in Germany.
A subforum on this topic would maybe help to improve that situation.
better attention for security
[8]
Go to page 1 - 2 [15] [+1 [16]]:
-
manarak [17]
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
[18] Posted: Jul 20, 2005 - 02:37 AM
-
**unknown user**
- Rank: Registered User
- Registered: Mar 16, 2002
- Last visit: Jun 26, 2009
- Posts: 34
[22] Posted: Jul 20, 2005 - 02:39 AM
Very good idea.. -
larsneo [26]
- Rank: Software Foundation
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 3814
[27] Posted: Jul 20, 2005 - 03:48 AM
Quote
Postnuke has a big credibility problem when it comes to security, especially in Germany.
any specific pointers for this?
<private opinion="opinion">
Quote
- Server setups
- protection against SQL injections using mod_security and others
- SElinux compatibility of PN
- how to improve server security
server stuff is usually beyond the scope of any application forum - there are definitly better places to discuss this kind of stuff...
Quote
- effects of safe mode, magic quotes, register globals, etc.
postnuke works under safe_mode=on, magic_quotes_gpc=on and register_globals [28]=off - third party modules *should* also be programmed this way (personally i don't use modules that won't work under those circumstances)
Quote
- security of modules which do not have an active forum
- workarounds, how to make some modules work even with safe mode on
the third party forums are the first place to discuss this kind of stuff - the postnuke team is focused on the core and can't check *all* available modules.
anyway: feel free to discuss security stuff related to postnuke within either support or general chat (or use the security contact linked in the footer)
--
regards from germany
..::[Zikula Application Framework [29]]::.. ..::[SEO-Blog [30]]::.. ..::[CMS Sicherheit [31]]::..</private> -
manarak [35]
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
[36] Posted: Jul 20, 2005 - 05:22 AM
Hello Lars
Quote
Quote:
Postnuke has a big credibility problem when it comes to security, especially in Germany.
any specific pointers for this?
yes, pay a visit to Germany's premier forum of (too) serious Linux admins: www.rootforum.de
Just ask there about security and nuke systems (you will get at best laughed at). Or you can also do a search on PHP-nuke or nukes.
Postnuke is put into the same category as PHP-nuke, myphpnuke, etc. As soon as you say "nuke", you can forget about credibility. I think the earlier years have left very bad memories of nuke systems.
I even think a name change of Postnuke can be beneficial.
In any case, there is some serious PR work to do.
Quote
server stuff is usually beyond the scope of any application forum - there are definitly better places to discuss this kind of stuff...
I partly agree and partly disagree on this one. The PN community has the advantage of being very hands-on, with a language accessible for all and much people eager to help, because everyone here has the same concern.
Many security forums (much more competent than the PN community) will snob any question that seems too simple, or reveals that the poster is a newbie (hint at rootforum.de). When you mention you have a nuke system installed, they will just laugh at you, hahaha no wonder you got hacked, and get as an answer "there will never ever be a nuke system installed on one of my servers, get a clue, you noob, if you install a nuke you shouldnt be allowed to own or to run a server, youre a public danger for the internet, we hate people like you". And this is a general opinion there.
I expect most questions to be somehow related to PN. For example mod_security depends on its configuration to work well, so I can imagine a PN-specific configuration or a Module-specific config for it. And there are other tools out there that need specific config.
Mods like mod_security, if well configured, can sometimes prevent the exploitation of security holes.
Now that dedicated servers have become more cheap, we also have many noobs with the priviledges and duties of "root". The snob forums will only tell that this is bad and should be forbidden, and not help with any hands-on tutorials or how-tos.
Let's face it: by being relatively easy to install, Postnuke is attractive for the newbies. They will download modules, install them, even write own scripts, deactivate safe mode and other things because otherwise their crap won't work (linux system status requires system access).
And they will get hacked.
And who will they blame, or who will their hoster blame?
"ya know, the guy had some nuke installed and then got r0xx0red 0wn3d" - "hey, no wonder" - "yeah."
It will again be Postnuke's fault.
As a sticky in the security subforum I can imagine the 10 laws for running a secure PN site, or something like that.
Quote
postnuke works under safe_mode=on, magic_quotes_gpc=on and register_globals [37]=off - third party modules *should* also be programmed this way (personally i don't use modules that won't work under those circumstances)
I agree, but you know as me that many PN modules do not fulfill all these requirements.
The community could discuss about what to change in these modules to make them secure (hey, maybe it is just a function that needs to be tweaked to get improved security?).
Or we can also discuss if a certain server configuration is necessary to get it working. For example, I run gallery in safe mode, and it works, including uploads and image manipulation. I think there would be some interest on this board for this information.
Quote
the third party forums are the first place to discuss this kind of stuff - the postnuke team is focused on the core and can't check *all* available modules.
Yes, I agree with you that the PN team should not have to check third party modules.
But you know that every time someone installs PN and gets an obscure module from somewhere and gets hacked, he will probably never find out how he was hacked exactly because server logs will be gone. Suspicion will always fall on Postnuke, and that's not what we want, right?
Also, I point out again that there are plenty of PN modules with no place to discuss their security. Posts in support or third party modules will just disappear in the mass.
I think the security subforum should contain the PN security announcements as sticky, some how-tos or links to how-tos, and leave the rest to the community. This did work fine in the past in the other forums. -
**unknown user**
- Rank: Senior
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 2243
[41] Posted: Jul 20, 2005 - 06:12 AM
I partook in a discussion about renaming PostNuke. It's something that's been discussed ever since the fork from PHP-nuke. I came up with Fallout CMS. Anyhow, that discussion belongs here [42].
Frank -
jn [46]
- Rank: Helper
- Registered: Apr 08, 2002
- Last visit: Oct 21, 2009
- Posts: 614
[47] Posted: Jul 20, 2005 - 06:17 AM
I did a quick search on PostNuke in that forum, and the people there might be professionals regarding to their linux box, but the answers they give shows that they haven't any knowledge on PostNuke :?manarak
yes, pay a visit to Germany's premier forum of (too) serious Linux admins: www.rootforum.de
Just ask there about security and nuke systems (you will get at best laughed at). Or you can also do a search on PHP-nuke or nukes.
Postnuke is put into the same category as PHP-nuke, myphpnuke, etc. As soon as you say "nuke", you can forget about credibility. I think the earlier years have left very bad memories of nuke systems. -
larsneo [51]
- Rank: Software Foundation
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 3814
[52] Posted: Jul 20, 2005 - 06:35 AM
Quote
yes, pay a visit to Germany's premier forum of (too) serious Linux admins: www.rootforum.de
<bad joke="joke">that's quite funny - getting blamed by a community running phpbb2
as jörg already mentioned the folks might be professionals with their linux boxes but i didn't find any valid point regarding weak postnuke security besides typical bashing in their postings.
anyway - since i even convinced heise.de about the differences regarding security between postnuke and *nuke (and dab needed to update his 'advisory' even twice) i already contacted 'joe user' via PM to discuss those blamings.
--
regards from germany
..::[Zikula Application Framework [53]]::.. ..::[SEO-Blog [54]]::.. ..::[CMS Sicherheit [55]]::..</bad> -
manarak [59]
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
[60] Posted: Jul 20, 2005 - 07:09 AM
lol - you saw my posts there
what you didn't see is the 20 or 30 posts that got deleted by the rootforum mod because my questions were just too basic for them...
And 'joe user' is by far not the only one with that opinion.
But I think the point is made that a place is needed to discuss PN-related security questions. -
manarak [64]
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
[65] Posted: Jul 20, 2005 - 07:45 AM
A little pot-pourri for those who can read german:
Quote
Für (.*)nuke(.*) gilt: Finger weg!
Das erzählen die von phpbb, postnuke & Co schon seit Jahren. Trotzdem tauchen regelmäßig Schwachstellen auf
Also ich installiere so Software wie phpMyAdmin [66], serverstats, phpsysinfo... nur unter einem vhost, der komplett per basic-auth geschützt ist. phpbb, postnuke... würde ich niemals nie installieren, auch nicht auf localhost auf einem Server ohne Netzwerkanschluss in Fort Knox
PS: Alles was "nuke" im Namen trägt, hat auf einem öffentlich zugänglichen Server nichts verloren.
Doch wenn der Kunde sich ein PostNuke drauf wirft ... wie kontrolliere ich das? Jo, ich suche regelmäßig nach auffälligen Dateien, doch so richtig überzeugend ist das nicht ....
Und natürlich keine bekanntermaßen unsicheren Scripte verwenden wie postnuke, phpBB ()
und solche sachen wie Postnuke würde niemals benutzen... das ist nur eine wandelne Zeitbombe
Postnuke - Warum nimmst nicht was gescheites?
Immer wieder gerne gesehen ist wohl postnuke, kennt wer noch weitere "problematische" PHP-Projekte die ähnlich unsicher sind?
Und auch bei Postnuke verstehe ich es nicht wirklich - selbst wenn das löcherig ist wie ein Schweizerkäse.
Wir hatten jetzt das Vergnügen (naja) das sich ein Hacker durch ein unsicheres Script (Nuke) zugriff aufe einen unserer Server verschafft hat.
irgendwie sträuben sich bei mir die Haare, wenn ich "Nuke" lese
Die Nukes, vor allem PHPNUke gelten als recht unsicher
Nuke ist das beste Beispiel dafür wie man es nicht machen sollte.
Ja, es liegt an den miserabel geschriebenen "Nuke Dingern". Entweder Du reduzierst die Querries selbst, oder wechselst zu einem weniger misrabel geschriebenem möchtegern CMS (was Du sicherheitstechnisch ohnehin machen solltest).
Alles was sich nach Nuke anhört, anfühlt oder danach riecht, lass es ...
Ja! Wie bereits geschrieben: mv *nuke* /dev/null
"Bitte Scott, hau' das Nuke runter - Deine Seite wird irgendwann "defaced"
Eher erschreckend wieviele Leute IMMER NOCH Nuke oder Derivate, Forks etc. davon, einsetzen
Wie bereits gesagt über unsicher konfigurierte und schlampig programmierte Software (xamp inkl. *nuke* / eGallery)
ich sag bloss finger weg von nuke musste auch meine erfahrungen machen damit
Nunja, auch wenns nich hier her gehört: Nuke ist und bleibt für mich tabu.
Ich glaube, Nuke hat das sogar schon drin *gg* (mit unzähligen Löchern und Bugs ....).
da gerade Nuke ein Pulverfass ist
Aber es ist ja nichts Neues, dass Nuke Sicherheitslöcher en masse hat -
**unknown user**
- Rank: Senior
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 2243
[70] Posted: Jul 20, 2005 - 07:51 AM
Translated by the fish:
Babelfish
To (*)nuke(. *) applies: Finger away!
Of phpbb, postnuke & CO already tell that for years. Nevertheless regularly weak points emerge
Thus I install like that software as phpMyAdmin [71], server act, phpsysinfo... only under one vhost, am completely by basic auth protected phpbb, postnuke... I would never never install, also not on local host on a server without network connection in away Knox
HP: Everything which "nuke" in the name does not carry, has on a publicly accessible server anything lost.
But if the customer throws itself a PostNuke drauf... as controls I that? Jo, I looks regularly for remarkable files, but that is not so correctly convincing....
And naturally use no well-known uncertain Scripte like postnuke, phpBB ()
and such things such as Postnuke would never use... that is only a wandelne time bomb
Postnuke - why take which don't clever?
Gladly again and again seen postnuke is probably, knows who still further "problematic" PHP projects those is similarly uncertain?
And also with Postnuke I really do not understand it - even if that is loecherig like a Swiss cheese.
We had now the pleasure (naja) a hacker by an uncertain Script (Nuke) accessed ourselves aufe one of our servers provided.
the hair straeuben itself somehow with me, if I read "Nuke"
The Nukes, above all PHPNUke is considered as quite uncertain
Nuke is not the best example of it like one it to make should.
Yes, it is because of the miserably written "Nuke DIN gladly". Either you reduce the Querries themselves, or change to less misrabel written like gladly CMS (which should make you safety-relevant anyway).
Everything which after Nuke sounds itself, feels or afterwards smells, leaves it...
Yes! As already written: mV * nuke * /dev/null
to "request Scott, strike ' the Nuke down - your side becomes sometime" defaced "
Rather frightening how many people use still Nuke or derivatives, Forks etc. of it,
Like already said over and schlampig programmed software configured uncertainly (xamp inclusive * nuke */eGallery)
I say only fingers away of nuke had also my experiences to make thereby
Nunja, also wenns nich belongs here ago: Nuke is and remains for me taboo.
I believe, Nuke have that even already in it * gg * (with innumerable holes and nose....).
since straight Nuke is a powder barrel
But it is nothing new that Nuke has safety holes EN mass
I think it's at least 10% easier to read than German. Which I can't read at all.
Frank -
manarak [75]
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
[76] Posted: Jul 20, 2005 - 08:49 AM
That's about the level of english many germans sspeak
-
**unknown user**
- Rank: Senior
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 2243
[80] Posted: Jul 20, 2005 - 08:53 AM
Comparable to AOL english, too. Still, how many Americans know that much German?
Frank -
**unknown user**
- Rank: Freshman
- Registered: Mar 16, 2002
- Last visit: Oct 26, 2006
- Posts: 65
[84] Posted: Sep 22, 2005 - 08:46 PM
I like that .76 shows the admin the status of Register globals. Is there any way to do the same with safe mode? And also to add a link about what to do about it... For example Register globals could be turned off by
1) asking your ISP
2) putting in an .htaccess
3) putting in a php.ini (depending on the circumstance)
Maybe also mention if Safe Mode is on or off too. If these are important I feel they should be in our face (or hack the code to turn it off) to avoid innocent/ naive mistakes.
Plus maybe add
* a link to http://secunia.com/search/?search=postnuke [85] for a place to see security concerns.
* a check to see if your mysql password is encrypted
* an rss feed to the postnuke security announcements in the admin
* optional version check to notify of old postnuke version (for people that make a site and then leave it for some time... or just have not checked back lately)
* instead of making warnings disappear when fixed, have a green check mark next to them so it is clear that these are not in question (and maybe help in support questions)
Just some thoughts from a hacked postnuker. -
manarak [89]
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
[90] Posted: Dec 02, 2005 - 10:55 PM
have a look at the last posts in the support forum about all those hacked sites and reconsider the proposal for a security / hack relief forum? -
pheski [94]
- Rank: Expert
- Registered: Feb 27, 2005
- Last visit: Apr 18, 2010
- Posts: 1567
[95] Posted: Dec 03, 2005 - 09:06 AM
manarak
... the proposal for a security / hack relief forum?
As a relatively unskilled person, having a single forum where I could regularly look for and read and learn from posts about weaknesses and patches would seem to be in the 'duh...of course' category.
Peter
[19]
[20]Go to page 1 - 2 [99] [+1 [100]]:
- Moderated by:
- Support
Users on-line
- jmvaughn [101]
This list is based on users active over the last 60 minutes.