PostNuke

Site search

Search results

Number of hits: 16

REMINDER: Remove XMLRPC from your site!   (News)

The following was posted on June 29th in PNSA 2005-3:

DESCRIPTION
PostNuke CMS is an open source, open development content management system (CMS). PostNuke CMS started as a fork from PHPNuke and provides many enhancements and improvements over the PHP-Nuke system.
PostNuke CMS is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers (including ADODB database abstraction and SMARTY templating) is in place.
The PostNuke CMS Development Team was notified about a security issue within the current .750 stable package and the .760 development tree.

VULNERABILTIES
- remote code injection via xml rpc library

SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc' module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.

Andreas Krapohl [larsneo]
PostNuke CMS Development Team

Generated on August 16, 2005.

PostNuke Security Advisory PNSA 2005-3   (News)

VULNERABILTIES
- remote code injection via xml rpc library

SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc' module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.
The PostNuke CMS Development Team highly recommends to *not* use the xml rpc library until the maintainers [1] provide a secure solution. Once an updated version is available a modularized version will be provided for download as an additional module.
Note: The upcoming .760 release will not contain the xml rpc library.

CREDITS
The exploit has been originally found by James from GulfTech Security Research and was reported via security contact. Additionally the maintainers of the xml rpc library were contacted.

Andreas Krapohl [larsneo]
PostNuke CMS Development Team

[1] phpxmlrpc.sourceforge.net

Generated on June 29, 2005.

Gnome-blog and postnuke working with new xmlrpc protocol!   (News)

Generated on March 1, 2004.

External Authentification for PostNuke (proposition)   (News)

Here goes...

Objective

The purpose of this development is to allow multiple methods of authentification for the Postnuke CMS (for example, allow users to login using their LDAP accounts, their POP accounts, etc.)
We consider that such a development, due to it's integration with existing systems, will greatly increase the acceptation of Postnuke in enterprise environments.

Requirements

We have identified the following requirements for such a development:
1. Allow definition of an external realm that will be used for authentification
2. Allow specifying which users will use the external realm for authentification. This includes the cases when the administrator of the site knows the credentials of the local user on the external realm, and when he does not.
3. Allow users that do not yet have a Postnuke account, but that are correctly identified by the external realm, to login into the system (new postnuke user records will be created for them)
4. Allow the import of a list of users accounts (possibly through the UserImport module), and setting the correct external authentification information for them.
5. In case the external realms are temporarily not available, allow users to login through the normal internal procedure. This means that in all cases, user records must exist for each user (including the externally authentified ones)

Implementation


We have chosen a hybrid approach of integration with the existing code of Postnuke.
The main functionality will be contained in a module, and changes will be made to the core to allow easy setup of the users' accounts and an easy transition from older installations of Postnuke.

The module will provide a framework allowing implementation of different realm models. Thus, in case another method of authentification is needed (excepting the ones we will implement), all one will need to do is writing the code for another realm model.
For example, we predict writing a LDAP realm model, a POP realm model, an external database realm model, a XML-RPC realm model.
The module will also support multiple external authentification realms (using more than one method of authentification, at the same time). The administrator of the site will be able to configure the Postnuke system to accept logins from one or more LDAPs, from a POP realm, etc. at the same time.
It will also provide the necessary API for the verification of the users accounts.

At the internal database level, the table that describes the users will be kept unchanged, and a new table will be added, that will contain all the needed data for the external authentification.

For each realm, the information needed is divided in two sets:
- realm specific information (the name of the server providing authentification, a short description, connection parameters, possibly how to retrieve any information that is needed in postnuke – i.e. the email – from the server) – this will be administered by the realm model code.
- postnuke specific information: if to allow external users that do not yet have an account to login in the system, the group in which such users will be placed – this will be administered by the module code.

The modifications to the core will be mainly at a graphical level. We have chosen to use as starting point the PNUserHack, and add code to this hack, rather than touch the core. The purpose of these modifications will be to allow the setup of the external authentification method at the same time as the setup of the "normal" PN user accounts.

The core modifications are briefly described here:
- User administration (for administrator): for each user and for each external server (as described in the module) add the necessary interface for allowing the user to login through the specified server, and for deciding which external account corresponds to the user, or for letting the user specify by himself the external account.
- Administration of a user's account (by himself): if the administrator allowed it, permit specifying which external account corresponds to the user.

Of course, the status of this document and of the development is still alpha (meaning we have a pretty good idea of what we want, and we are just starting to look around in the code and to implement things). We are however willing to invest a good amound of effort in this development, and we feel that all users and Postnuke in general could benefit from such add-on.

Best regards,
Tibi Dondera

Additional links:
http://atelier.epfl.ch - the site that contains some of our other modules. We are planning of posting shortly another article about our current/finished developments. (sorry, french only)

Generated on March 26, 2003.

Postnuke 0.722 Phoenix is available PART I   (News)

Some features:
1.- New free banner positioning + a new banner sideblock
2.- Many fixes to pnHTML
3.- All modules and core are secured against cross site scripting and other attacks
4.- Phase I of core modules updates to pnAPI compliance is complete
5.- New visual editor with upload capabilities enabled
6.- New members list
7.- Hundreds of bug fixes
8.- New Adodb 2.50 database abstraction layer
9.- Support for register_globals = off (full compatibility with php 4.2x and above)
10.- Support for Apache 2.0.x
11.- Enhanced pnIntrusion detection system
12.- Admin settings for censor, pnAnticracker and article display
12. New credits module added (Credits & License Information)
13. new admin icons
14. New Censors Module (Configure Censorship Options)
15. Fixed xmlrpc , works with wbloggar now



more can be found on the changelog file of the current release.

Generated on December 2, 2002.

PostNuke 0.721/Phoenix -- Make it Your Choice!   (News)

Neo has worked with his usual fervor and tenacity to bring you a great release - here's what's been changed / fixed:

1.- NS-AddStory (case issues on templates)
2.- NS-Referers (bug in older 0.72 code - pre-phoenix)
3.- Themes (0.72 themes with lower case, they have
now been all fixed)
4.- Quotes (Had pre-phoenix bugs all fixed)
5.- NS-Settings (overlooked, gzip compression and other
fixes, now updated)
6.- NS-Comments (updated)
7.- Members_List ( fixed an odd bug there )
8.- Xmlrpc (upgraded)
9.- All new 0.72 pre-phoenix fixes, cvs dates and user
commit names are fixed and up to date.
10.- Multiple session fixes.
11.- Multisite fixes many.
12.- Added compression option in settings
13.- Stats langiage definitions in english bug fixed,
14.- Download module fixed
15.- Comments module removed
(now only NS-Comments is needed)
16.- NS-Quotes removed (Quotes is the active one)
17.- Enhanced index.php and header.php for
Encompass compatibility fixes many bugs, provides
flawless compatibility with existing PN installations
that have encompass in use.
18.- All permissions of all files and directories where
corrected for the tgz version.
19.- Installer script and upgrade routines updated to
reflect all db changes and needed modifications.
20.- Al pnTheme() calls where deprecated.
21.- Hundreds of small code fixes where applied and all
latest cvs commit information were restored to all files.

Generated on August 28, 2002.

The Road Map   (News)

recently : What the majority of you want are: STABILITY, LEAN CORE, MODULAR DESIGN, A THEME SYSTEM, COMPATIBILITY, EASE OF USE.

With that in mind, while far from being hewn in stone, here's how I see the road that leads us there, and how the various aspects of PostNuke will be affected.

0.721-Phoenix : the recent bug-fix release will also include several enhancements (like new block control using standard pnThemes), as well as provide upwards compatibility for Encompass/Envolution installations (to allow those users to upgrade seamlessly to 0.721-Phoenix.) A changes list will be posted with the release.

0.725-Phoenix : to include the new Phoenix Theme Engine, based on FastTemplates, more bug fixes, more minor improvements to modules, new themes to show off new capabilities. Documentation for new features will accompany release.

0.726-Phoenix : Will include short URLs backported from 0.8, improved AddStory, comments and news system (which needs an overhaul), admin redesign, more user interface improvements throughout the system. Documentation for new features will accompany release

0.727-Phoenix : Permissions UI and functionality overhaul (looking for suggestions and ideas); Download module overhaul, start of the installation overhaul. Documentation for new features will accompany release

0.728 - 0.799 : further finetunings, improvements to the core, improvements and better integration of several modules, improvements to the installation and upgrade system, some kind of WYSIWYG editor solution.

0.8xx - 0.899 : Further Core and module separation, PN modules will be tested and converted to full pnAPI compatibility, XMLRPC in a big way, as well as client apps that allow control, third-party module devs will be assisted with conversions if needed, installation that allows customized installations, Feature requests will be integrated further. Documentation will be tackled in a big way to provide a comprehensive compendium of all information that a user and admin might need. Essential information will be bundled.

0.9xx-0.999 : BETA phase - this is when we can take what we have created up to that point and REALLY throw the book at it, and meticulously iron out any problems and bugs that might still be in there - this is the period that we tie up the loose ends, as well as ALL reported bugs. The goal is a clean, fast running, bug free application for the 1.0 release. Documentation must be in final format, with any last details amended and fixed.

1.00 - Tranquility Release : Pretty much the goal for this is to announce it, sit back, and go on a vacation - of course, that won't happen, as we expect some additional last minute tweaks to probably take us through a handful of additional maintenance releases. Still, with 1.0 I'm hoping that PostNuke will be in a state where a solid core can be configured to 'become anything', based on modules, themes and configurations. This should be the final release, or it can be taken beyond by ether new leadership, or, what the heck, we may discover something new to do with it.

Now, what needs to be understood, coding and writing docs is but a part of what it takes to make the PostNuke effort a success - marketing and promoting PostNuke is an initiative that I consider to be essential to the success of this project. After all, what good is the best project, if no one knows about it.

Marketing Initiative
To that effect, throughout all phases of this roadmap, I will supervise aggressive marketing approach to make sure that PostNuke is well-known, to assure us from getting the prerequiste coverage, and to make sure that we grow our user base by creating more awareness of the project. Some of this will be achieved via technological alliances, some of it via ancilliary services, some of it via aggressive promotion, and some of it via means we haven't even thought of yet. I have some pretty good ideas how to go about doing that, but that's for another article. Consider this a call for volunteers.

Developer Rewards
In addition, since any good project is based on the fruits of equally good developers, I strongly believe that there ought to be ways and means to compensate those hard-working souls for their effort - it is therefore a priority to me, to create an environment and an atmosphere that provides appropriate means for the userbase to show their appreciation of both he project, or the individual developer. I have a system all worked out to achieve that, but, again, that's for another article.

Community Focus
Lastly, the community focus of this project will always be at the forefront, so expect full communication, op-ed pieces, town meetings, and more details about 'PostNuke events & news', not just from me, but others on the development team.

Oh, you ask "Who the heck is on the dev team???"

Read on - next article

Harry

Generated on August 28, 2002.

PostNuke 0.72, Phoenix Release   (News)

there are still some bugs or problems. Please report those to us directly, or in this article's comments, so we can address them.

You can download the files here:

PostNuke 0.72 Phoenix Release

PostNuke+Encompass 0.72 Phoenix Upgrade

First of all, before you do anything, be sure to backup both your site's directory, as well as the mysql database.

To perform an upgrade : there is no need to delete all of your files, just overwrite them with the files from the /html/ directory, and run 'install.php', select 'upgrade' and the script should do the rest.

For a virgin installation : proceed as you normally would with a PostNuke installation, un-archive the files, run the install.php in the /html/ directory, and follow the installation directions.

NOTE: In the case of an Encompass installation, you are required to already have an Encompass installation running and operational - in other words, you can not do an Encompass installation, just an upgrade to an existing installation.

Major kudos and appreciation to the developers that worked hard on the 0.72 release, and that made many of the improvements and bug stomping possible.

Taken from the original release article:

Special Thanks For the following people:
johnny, byron,miko,larsneo,hinrich, and ender for their ceaseless assault on bugs and PostNuke usability.

Here is a list of some of the changes
(to view the rest, checkout the changelog.txt)
ADODB 2.30 - Pablo Roca
Updated German Language files - larsneo & hinrich
chinese(zho) language translations - class_007
configurable compression support- hinrich
xml-rpc fixes - marcel
field length fixes - miko & johnny

and of course many more bugs squashed.

-Harr

Generated on August 14, 2002.

PN .720 Release Notes   (News)

Here is a list of some of the changes
(to view the rest, checkout the changelog.txt)
ADODB 2.30 - Pablo Roca
Updated German Language files - larsneo & hinrich
lowercased module names - (ender & the dev team)
chinese(zho) language translations - class_007
configurable compression support- hinrich
xml-rpc fixes - marcel
field length fixes - miko & johnny

and of course many more bugs squashed.

Full changelog can be found here.

and of course many more bugs squashed.

Enjoy :)

Generated on August 11, 2002.

phphtmlib into PostNuke   (News)

SOAP.Separate objects provide information visualization using client side technologies like XUL, XWT, SashXB or what else you want.
Another nice idea is to include a middleware abstraction layer into PN using XUL just to describe the visualization layer.Specialized PlugIns could provide the right conversion from XUL to HTML+CSS XHTML+CSS XML+CSS XML+XSL WML and so on...
Don't forget the power of XUL that is also available into Mozilla1.0 and NS6+.
Waiting for your feedback,
bye,
Luca Cappelletti
Rom

Generated on May 21, 2002.

Page 1 / 2 (1 - 10 of 16 Total)