Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
PostNuke open source CMS attacked
Share
Print
CommentsEveryone who downloaded the .ZIP archive of the PostNuke .750 software from downloads.postnuke.com between Sunday and Tuesday should re-download the software and check it against off-site MD5s, according to PostNuke's security officer.
In its message, the PostNuke team emphasizes that the vulnerability was not with the PostNuke code itself, but with the program it was using to manage downloads of the PostNuke source from its Web site. While security flaws in database-driven CMS software are not necessarily uncommon, this one is unusual because its nature was to infect new downloads of the software, putting backdoors into newly installed PostNuke installations.
While critics will inevitably use this as an example of how terrorists can destroy the free world, the implications against free software specifically are questionable.
At issue is not the open source development model, nor is the fact that the software was freely available for download. PostNuke could very well have been proprietary and closed source and offered for a fee, and if the developers had used the same download tool the software would still be compromised. But would the security officer have found the problem so quickly -- or at all?
The problem was found on Monday night and downloads were disabled -- and remain disabled at the time of this writing -- until the exact problem could be found. Members of the PostNuke development team compared the cracked source code with the untouched code and found that only one file, pnAPI.php (in the includes directory), had been modified to send all data submitted during the installation process to a different server, which would collect the data. If only a select few had had access to the source code, how much longer would it have taken to discover this attack?
Recommended actions
If you downloaded the .ZIP archive of PostNuke in the past two days and think you may be affected, the easiest thing to do is remove the /includes/pnAPI.php file and replace it with this one from the PostNuke archives. You can check your server logs for any addresses that contain the string oops=, and report such messages to the security team. Lastly, you'll want to change your database username and password.
Jem Matzan is the author of three books, a freelance journalist and the editor-in-chief of The Jem Report.
Comments
on PostNuke open source CMS attackedNote: Comments are owned by the poster. We are not responsible for their content.
This has all happened before. Sendmail had the same thing only a year or two ago.
I have never heard an outcry claiming "this is what you get with open source code" because that's simply not accurate and there is a wealth of ways to prove that.
Commercial products have had similiar problems like shipping viruses, etc.
These things happen. It's the nature of an online world.
-Chris
There will always be security problems. I think we should be aware of all of them as soon as it's possible to get the information public.
-Jem
Let the peanut gallery fire off all it has. We can shoot right back, and our guns are loaded.
-Chris
I would dearly love to see that not only can FOSS hackers write good software, we can protect it as well.
Users should download Xaraya<nobr> <wbr></nobr>.9.10, available from <A HREF="http://www.xaraya.com/" title="xaraya.com">http://www.xaraya.com</a xaraya.com>.
Second, sure download Xaraya and when you can't figure out how to use it then use something else that you can figure out and get to work.
Xaraya - regularly at the bottom of reviews.
My view is that the open source model presents us with a perfect opportunity to work on the general problem of authenticating contributions to the code base. The results can equally be applied to closed source development, but I believe that the open source model is a more realistic setting in which to develop effective solutions. We begin with the assumption that much of the development infrastructure in an open source project lies outside the control of the project. So a given contributor may be a nice guy, and may have properly signed all his contributions, but if he has practiced poor security hygeine on his own system, his contributions may be tainted.
This problem is obvious in open source development. What's perhaps not so obvious is that closed source organizations are not exempt from the effects of poor security hygeine. In theory, security could be tighter in a closed environment, but in practice very few organizations are willing to undergo the inconvenience of rigorous "clean room" discipline. Indeed, it would be unwise to assume any level of security as characteristic of closed source environments. In my experience as a security consultant, I've noticed that closed source developers are often expected to maintain their own systems, they often have persuaded management to give them root on the servers, and they often work from home. The outsourcing of development work provides similar opportunities for compromise.
In the open source community, our advantage is that we can face this problem head on. It's a question of authenticating both developers and their systems. In a sense, it's about DRM as well, but not the kind of mandatory "digital restrictions management" that conspires to put our systems outside of our control. This would be a more advisory kind of DRM by which we could mutually negotiate on compliance to agreed security standards. My point is that we need to take the lead on these decisions for our own benefit, or else we may find that they have been made for us. And that's not in the spirit of open source at all.
Could this be incorperated into package managers
Posted by: Anonymous Coward on October 27, 2004 09:07 PM"Review is boring and time consuming, and it's hard," said Steve Lipner, manager of Microsoft's security response center. "Simply putting the source code out there and telling folks 'here it is' doesn't provide any assurance or degree of likelihood that the review will occur."
Seems silly to hinge your whole premise on such a shakey assumption...
md5 sums
Posted by: Anonymous Coward on October 26, 2004 11:33 PMOK a pirate could also try to change the md5 sums, but this task is a lot more difficult since :
- he would have to change the md5 sums on every location, web pages, ftp servers
- such kind of change would be fast to spot (faster than checking the source integrity).
#