October 26, 2004

PostNuke open source CMS attacked

Author: Jem Matzan

This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 08:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?

Everyone who downloaded the .ZIP archive of the PostNuke .750 software from downloads.postnuke.com between Sunday and Tuesday should re-download the software and check it against off-site MD5s, according to PostNuke's security officer.

In its message, the PostNuke team emphasizes that the vulnerability was not with the PostNuke code itself, but with the program it was using to manage downloads of the PostNuke source from its Web site. While security flaws in database-driven CMS software are not necessarily uncommon, this one is unusual because its nature was to infect new downloads of the software, putting backdoors into newly installed PostNuke installations.

While critics will inevitably use this as an example of how terrorists can destroy the free world, the implications against free software specifically are questionable.

At issue is not the open source development model, nor is the fact that the software was freely available for download. PostNuke could very well have been proprietary and closed source and offered for a fee, and if the developers had used the same download tool the software would still be compromised. But would the security officer have found the problem so quickly -- or at all?

The problem was found on Monday night and downloads were disabled -- and remain disabled at the time of this writing -- until the exact problem could be found. Members of the PostNuke development team compared the cracked source code with the untouched code and found that only one file, pnAPI.php (in the includes directory), had been modified to send all data submitted during the installation process to a different server, which would collect the data. If only a select few had had access to the source code, how much longer would it have taken to discover this attack?

Recommended actions

If you downloaded the .ZIP archive of PostNuke in the past two days and think you may be affected, the easiest thing to do is remove the /includes/pnAPI.php file and replace it with this one from the PostNuke archives. You can check your server logs for any addresses that contain the string oops=, and report such messages to the security team. Lastly, you'll want to change your database username and password.

Jem Matzan is the author of three
books, a freelance journalist and the editor-in-chief of The Jem Report.


  • Security
Click Here!