PostNuke

Now PostNuke.com almost exculsively contains news posted by the delevopers themselves, but often they are more interested in developing their "babies" than in their promotion. We would like to find someone who is interested the PostNuke "scene", who will regularly look for interesting news at the module developers pages. He or she is also asked to be creative and find other interesting stuff - making interviews, writing reviews for books related to Postnuke, webdesign, typography etc.

The role is primarily for the publication of articles here at PostNuke.com, however you can of course distribute your work to other places on the internet.

Your reward will be the community's gratitude and your personal writing training.

If you are interested, please contact: contact@pn-cms.de

Steffen Voss
vice-president, German PostNuke Foundation
pn-cms.de

VULNERABILTIES
- remote code injection via xml rpc library

SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc' module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.
The PostNuke CMS Development Team highly recommends to *not* use the xml rpc library until the maintainers [1] provide a secure solution. Once an updated version is available a modularized version will be provided for download as an additional module.
Note: The upcoming .760 release will not contain the xml rpc library.

CREDITS
The exploit has been originally found by James from GulfTech Security Research and was reported via security contact. Additionally the maintainers of the xml rpc library were contacted.

Andreas Krapohl [larsneo]
PostNuke CMS Development Team

[1] phpxmlrpc.sourceforge.net

Footnote: 1

So, how does eurojamLIVE! fit in?

eurojamLIVE! has been designed to allow participants and event organisers to communicate before, during and after the event. There will be 10,000 people at the event, so the website has the potential to receive a great deal of traffic over the coming months.

eurojamlive.org as a PostNuke website

PostNuke was chosen for the eurojamLIVE! website. We needed a solution that could be deployed quickly, with only a limited amount of modifications. The websites for Scouting 2007 are run on an entirely volunteer basis, and PostNuke's ease of use and open source code was ideal for this.

Constructing the website

The website initially began as a standard PostNuke install. All the extra core modules that were not needed were removed, and the tables for each of these modules manually removed from the database. The decision was made to use pagesetter for most of the content, including the news functionality. We needed the workflow and template functionality provided by pagesetter but not available in the core News module. Additionally, PNphpBB2 was used for the forums, due to its extended feature set.

In the end, the site's configuration looked like this:
PostNuke Version: 0.760
Although at the time 0.760 was still in the RC stage, it was considered important to use the latest version to take advantage of sessionless anonymous users (for a performance increase) and also recent improvements in Xanthia's full page caching, which in the end proved important for the website.

Module List

• pagesetter
• photoshare
• EZComments
• PNphpBB2
• Downloads
• pnFlashGames
• Weather

Blocks

• dp-StaffStatus

Theme

• pnfr-vx - courtesy of Chestnut, pnFrance

Custom Developments

Although nothing revolutionary was needed, a few custom developments were used.

Block Management
A fairly simple module making it easier to change the news stories appearing on the homepage. Instead of the default pagesetter block, which requires the story ID, this module allows the user to choose the story title to show, rather than having to know the ID.

Profile integration - PNphpBB and PostNuke
Better integration between PostNuke's profiles and PNphpBB profiles were needed. As a result, all the forum profile settings were moved to a link in the 'Your Account' section, the profile link in the forums now redirecting to user.php. One further change was needed for everything to work as expected - the profile information had to be updated each time the user visited the forum index, incase they had changed any part of their profile.

The First Day

Although the site was launched on the 3^rd of June, it's existance was not advertised until the 5^th June at 2pm. Between this point, and 9pm, the site received 55,000 hits and served almost 1GB of traffic. This level of initial support was not initially anticipated, and there was a slowdown for a few minutes until Xanthia's full page caching was enabled. This had the effect of reducing server load by more than 50%, and the site consequently confortably rode through the initial spike in traffic. The server itself already ran the Scouting 2007 network of sites, before the eurojamLIVE! launch. In an ideal world the eurojamLIVE! website would be on its own seperate server, however this is not the case, and therefore performance in paramount. In the end, I would say the server and the PostNuke website stood up to the demands quite well.

At pnFlashGames.com, website owners can download the pnFlashGames module and try out new games. As pnFlashgames continues to grow with traditional web users, SourceKit has seen an increase in businesses and educational institutions incorporating Flash technology and Web games onto their websites. PnFlashgames supplies games that are being used as learning tools, vehicles that drive corporate branding goals, and entertaining added-value features meant to drive traffic to websites.

“We were excited to see that pnFlashGames maintained its popularity among webmasters, website owners and the Flash game community and has gained new users from other industries,” said Drew Adams, managing member of SourceKit, LLC. “Now that pnFlashGames has passed the 5,000 member milestone, we are enhancing its capabilities to meet the Flash trends, which are growing to become more widely used in business and educational formats. We are excited to see how our relationship with these communities continues to grow into the future.”

In January of this year, SourceKit acquired pnFlashGames.com. The site averages over 150,000 unique visitors each month with over 5,000 website owners registered. Once installed inside a portal system, the module enables webmasters to host Flash games and keep scores of each user. This creates new Internet communities, and increases hits to webmasters sites. Flash technology allows developers to create a web application that can communicate with the web server or database without having to reload any web pages. Flash also allows for a rich user experience, with flowing animation and sound without the clunky overhead.

A few months ago I took the decision to release a modified version of Portal)ZINE iMod pmBOX module by Alexander Graef [MagicX] released under GPL and previously available on http://portalzine.de. This release was aimed at making this module compatible with PostNuke .750 and .760 but as usual when I work on a module I did a complete security audit of the module and fixed all problems that I found.
With the release of PostNuke Security Advisory PNSA 2005-2 fixes for the Messages module, it is clear that I forgot some issues and a fix is needed because some parameters aren't properly sanitized in some pmBOX files.
This 2.81 version (as the 2.8 one) bring no new features, just security fixes.
It has been tested under PostNuke .750 and .760RC4.
You can download it Here.
Please note that if you want to thank somebody for this module you should thank Alexander Graef [MagicX] for releasing this module, not me, and if you want to blame somebody for a problem with this version or have some support you shoud direct your mails to me because this module is no more supported by Portal)Zine.

VULNERABILTIES
- various missing input validations within /modules/Xanthia/ [1]
- missing input validation within /modules/Messages/readpmsg.php [1]
- possible path disclosure within /user.php [2]
- possible path disclosure within /modules/News/article.php [2]
- possible remote code injection within /includes/pnMod.php [3]
- possible cross-site-scripting in /index.php

SOLUTION
It is recommended that all admins do an immediate upgrade of their sites to v0.750b by applying the latest security fix package available from the locations listed below. Since the Xanthia-module will be updated the site's theme needs to be set to ExtraLite (or any other non-Xanthia theme) prior to applying the update. After uploading the fixpackage the modules list needs to be regenerated and the Xanthia module upgraded within Administration-Modules.
Please note the main package has been updated to include this advisory so there is no need to apply this patch if you have downloaded PostNuke after the date of this announcement.

The /index.php and /includes/pnMod.php fixes are also available for the current .760rc4a Release Candidate within the changed files only package, the main package has also been updated with the fixes.

UPDATED PACKAGES
1. PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html
SHA1: 60ef6f7c93cfa638fc7d089e078db0eaa59f95b4
MD5: c40ebc31cfa3ada351dbe63f4e9a6255
Size: 2407332 Bytes

2. PostNuke 0.750 (zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-410.html
SHA1: 50edfbb3c12bed0b80413d421d1a90ff28ed0c22
MD5: 26dc0202c776f7463008c54ce8cf89b9
Size: 3501230 Bytes

3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-472.html
SHA1: d504155418ab6d07491b3a6c0d18834fe20bbefd
MD5: e472c9917e2ff237b354bdc87838c504
Size: 247175 Bytes

CREDITS
The [1] exploits have been originally found by Maksymilian Arciemowicz from http://www.securityreason.com/ and were reported via security contact. The path disclosure issues [2] were found by 'Diabolic Crac' and reported to various trackers. The remote code injection [3] was reported by Mohamad Saleh Raub from http://www.scan-associates.net to the security contact.

Andreas Krapohl <larsneo>
PostNuke Development Team

This flaw is due to an input validation error in the Blocks Module when handling a specially crafted "func" variable containing "..\" sequences, which may be exploited remotely to conduct directory traversal attacks.
http://server/index.php?module=Blocks&type=lang&func=../dir
* Affected Products *
PostNuke version 0.76-RC4 and prior
* Solution *
Patches are available via CVS :
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48

http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/index.php.diff?r1=1.39&r2=1.40
2005-05-17 : Original Advisory
*******************************************
This was found by my webhost and posted to my webhost's support/security forums two days ago. I just found it today. The changelogs above have a number of changes in them.
To Admin: Is this worth making a deal over?

Footnote: 1

The exported data then spends 10 to 15 seconds in your favorite editor where it undergoes the search and replace routine. Substitution of database prefix occurs in 863 edits. This occurrence is the actual number of tables in a single install event.

This number can be reduced substantially. My analysis and subsequent regret with this project was the lack of database prototyping before the final template was selected. Tables remain in this database that will never be used. This can be solved by editing the install files to generate a bare bones installation but consider this.

You will be selecting one of two choices regarding further prefix instantiation. If you start coding in the install files and sub-routines you will inevitably want to continue using the install routine to provoke your changes. The other choice I've already mentioned.

Time constraints considered the editor is far superior choice. Consider for some time the actual data entry required in the process. Consider the underlying protocols.

Data will have to be entered in the appropriate Zone file on your DNS server. At this time you have a list of table space names you are going to use. Consider how to cut copy and paste:

www.site1 IN CNAME site.com.

Efficiency and Quality are very important. Maintaining proper data now leads directly to less downtime in the site name order of events. Continue with your file manager now and create the directory structure you desire in the parameters folder. Consider how to best create this quickly.

mkdir .site1.site.com
mkdir .site2.site.com
mkdire

At this point in the design a need arises to process the modules_var table quickly between sites on port 80. You can use your Web_Links module to link to the sites you will be editing in rapid succession by leaving one window open to the links and by clicking proceed to the new site --> admin --> settings and change the appropriate variables for the site.

I elected to use the jump box generation code that AlarConcepts provided for the project. Consider the data replication procedure carefully. Again creating a list of one hundred jump box links is best done with efficiency and quality.

Open you favorite editor once again. Open your httpd.conf file and reiterate your virtual host template. Consider the amount of data entry. You may want to use an include file in your httpd.conf. Efficiency and Quality are paramount in your data entry at this point. Replace and Paste quickly until all your selected domain concatenations are fulfilled.

Also on the sql side you have to consider the amount of data entry, Replace and Paste actions undergone. Personally I use vi transplanttable.sql through a shell and leave WordPad open with the data that undergoes Replacements. I leave it highlighted and quickly approve the all changes and copy text and one click drop into the INSERT buffer and move on changing the next as rapidly as the last.

So in conclusion we have to alter the Zone file, the httpd.conf file and the dump. Once this has occurred do mysql targetdatabase < reiteratedtables.sql and watch a dump of half a million lines slam your mysqld for as long as it wants to take.

Further database analysis will reveal number of tables present. I'm estimating around twenty-five thousand tables at present. Functionally your sites are live after the mysql import. Put the coffee on get busy.

Change the site names and make the sites user aware by providing data to the submit_news admin module and the settings module. These are the only two places I had to visit on a fresh install to change data. Consider changing even three different modules... Work quickly. The bots are coming.

Special Hotel offer:
Hotel Kirchner
single room: €45,-- /night incl. breakfast
double room: €70,-- /night incl. breakfast

It is 10 minute walk by foot and 2-3 minutes with the car from the hotel to the location. BTW: The estimated location is normally a dancing school ;-)

We don't have a schedule yet. If there are people interested in delivering a lecture, they can submit an abstract with their registration. Everything in English, please.

abstracts deadline: 31.6.
registration deadline: 31.7.

If people want to become members of Postnuke e.V.: Link

German version of the announcement: Link