I recently bought my own server (dual Xeon) and since I will do the administration myself (helped by Plesk 7.5 and Fedora Core 2) I become more concerned with security, and some thoughts and questions came to my mind:
- Is there a mailinglist for PN-related security advisories?
- Is there a kind of hack history of PN modules (stating which modules carry known risks and which don't)?
- Why isn't there a forum here about security in PN?
- Are there things one can do in PN to limit risks?
etc. etc. etc.
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 07:01 AM
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 06:41 AM
- ehdwma created topic »Hide "Register new account" and change template to 3 col« 06:27 AM
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 01:29 AM
- mdee created topic »How to implement returnpage ?« 01:00 AM
- nestormateo responded to »Fillters in Clip« 24. May
- damon responded to »Can the Updated Version Check be Turned Off (Z 1.3)« 24. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
Security
-
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
Posted: Apr 25, 2005 - 03:25 AM
-
- Rank: Team Member
- Registered: Mar 18, 2002
- Last visit: Oct 21, 2009
- Posts: 6606
Posted: Apr 25, 2005 - 03:48 AM
1) See http://noc.postnuke.com/mail/?group_id=5 - the lists are still offline as a result of our ongoing gforge upgrade but that's the list you need
2) The best lists are kept by the security companies themselves - secunia, security focus etc.
I'd add that any module that doesn't work on PN .750 on a server set with register globals off should be considered a risk. The module not working suggests that the coding makes assumptions about database connections, globals variables, input that are a potential risk.
3) Not sure there's a need.... We've a security contact for reporting security issues to the team and security can be discussed in each forum as approapriate.
4) Sign up for security mailing lists - not just our one but ones like secunia. Keep the server and associated software (PHP, apache, mysql) patched up to date. Configure each component for security (see the relevant software sites for details) e.g. set register globals off in php.ini.
On the PN side of things test each module in an isolated test enviroment first. If your comfortable with PHP code audit the module code prior to using it. Possibly try out some simpler, common exploits - e.g. non numeric strings where a numeric value is expected. There are various articles around the web on securing PHP code - take a look at these with a view to testing modules for each exploit technique.
-Mark
--
Visit My homepage and Zikula themes.
- Moderated by:
- Support
Users on-line
- 0 users
This list is based on users active over the last 60 minutes.
