Everyone who downloaded the .ZIP archive of the PostNuke .750 software from downloads.postnuke.com between Sunday and Tuesday should re-download the software and check it against off-site MD5s, according to PostNuke's security officer.
In its message, the PostNuke team emphasizes that the vulnerability was not with the PostNuke code itself, but with the program it was using to manage downloads of the PostNuke source from its Web site. While security flaws in database-driven CMS software are not necessarily uncommon, this one is unusual because its nature was to infect new downloads of the software, putting backdoors into newly installed PostNuke installations.
While critics will inevitably use this as an example of how terrorists can destroy the free world, the implications against free software specifically are questionable.
At issue is not the open source development model, nor is the fact that the software was freely available for download. PostNuke could very well have been proprietary and closed source and offered for a fee, and if the developers had used the same download tool the software would still be compromised. But would the security officer have found the problem so quickly -- or at all?
The problem was found on Monday night and downloads were disabled -- and remain disabled at the time of this writing -- until the exact problem could be found. Members of the PostNuke development team compared the cracked source code with the untouched code and found that only one file, pnAPI.php (in the includes directory), had been modified to send all data submitted during the installation process to a different server, which would collect the data. If only a select few had had access to the source code, how much longer would it have taken to discover this attack?
If you downloaded the .ZIP archive of PostNuke in the past two days and think you may be affected, the easiest thing to do is remove the /includes/pnAPI.php file and replace it with this one from the PostNuke archives. You can check your server logs for any addresses that contain the string
oops=, and report such messages to the security team. Lastly, you'll want to change your database username and password.