Dizkus

I recently bought my own server (dual Xeon) and since I will do the administration myself (helped by Plesk 7.5 and Fedora Core 2) I become more concerned with security, and some thoughts and questions came to my mind:

- Is there a mailinglist for PN-related security advisories?
- Is there a kind of hack history of PN modules (stating which modules carry known risks and which don't)?
- Why isn't there a forum here about security in PN?
- Are there things one can do in PN to limit risks?
etc. etc. etc.

1) See http://noc.postnuke.com/mail/?group_id=5 - the lists are still offline as a result of our ongoing gforge upgrade but that's the list you need

2) The best lists are kept by the security companies themselves - secunia, security focus etc.

I'd add that any module that doesn't work on PN .750 on a server set with register globals off should be considered a risk. The module not working suggests that the coding makes assumptions about database connections, globals variables, input that are a potential risk.

3) Not sure there's a need.... We've a security contact for reporting security issues to the team and security can be discussed in each forum as approapriate.

4) Sign up for security mailing lists - not just our one but ones like secunia. Keep the server and associated software (PHP, apache, mysql) patched up to date. Configure each component for security (see the relevant software sites for details) e.g. set register globals off in php.ini.

On the PN side of things test each module in an isolated test enviroment first. If your comfortable with PHP code audit the module code prior to using it. Possibly try out some simpler, common exploits - e.g. non numeric strings where a numeric value is expected. There are various articles around the web on securing PHP code - take a look at these with a view to testing modules for each exploit technique.

-Mark