-
Downloads on PostNuke.com Target of Hacker: Immediate Action Required if You've Downloaded PostNuke in the Past Three Days
(News)
-
a different server. Second, in one file there was code allowing a malicious user to execute any shell command on the web server.
As noted before, immediate action is required from everyone who downloaded the .zip package between Sunday (24.Oct) at 23:50 GMT until Tuesday (26.Oct) at 8:30 GMT.
Required Actions
1. Immediately remove the affected file /includes/pnAPI.php and replace it on your server with the original one (either from a fresh download or from http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnAPI.php?rev=1.86&content-type=text/vnd.viewcvs-markup)
2. Check the access-logs for any entry containing 'oops='. If you find any call please contact the PostNuke Security Team via http://forums.postnuke.com/index.php?module=vpContact providing the access log for further investigation.
3. Change your database details, username, password and if possible, database name.
Future Safety Precautions
In the future to avoid downloading tampered files please compare the MD5 checksums with an independent source to ensure legitimacy, such as http://www.post-nuke.net. For those unfamiliar with MD5 it is a check you can use to make sure the download has not been tampered with and can be trusted. In order to compute a checksum you need an MD5 utility and you can find a variety of tools (for windows) here: http://lists.gpick.com/pages/Checksum_Tools.htm and another favorite is the free and platform independent open source project jacksum (http://www.jonelo.de/java/jacksum/) You can also find more information about this topic on Wikipedia at http://en.wikipedia.org/wiki/Md5
Finally, be assured we are working to find the hacker and will take any and all legal action when they are found.
About PostNuke
PostNuke is a community, content, collaborative management system, a C3MS providing webmasters with a set of tools to build a dynamically generated web site within minutes of downloading the software. It's backed by a team of dedicated, talented developers, designers, and volunteers with years of experience.
General Info About PostNuke:
Modular Structure, Customized Functionality through Third-Party Modules, Advanced User Group Permissions System, Multi-language Support (Approximately 36 Language Packs Available), Embedded WYSIWYG HTML Editor Activated on Most Text Entry Areas, Site Search, Advanced API (Application Programming Interface), Focused on High Level of Security, Easy-to-Use Guided Browser Based Installation, Easily Change/Customize Your Site's Look/Feel Through Plug-in Themes, Provides advanced content management features while promoting collaboration, communication and community around the content.
A Short List of Available Modules
News Publishing, Content Management, RSS Feeds, Voting Booth/Polls, Banners Module, Comments Module- allows other modules, including
Generated on October 26, 2004.
-
Web Accessibility - An introduction
(News)
-
Accessibility - In General
According to the German federal law on equality of treatment of handicapped
persons (BGG §4) ", constructions, means of transportation, technical
commodities, systems of information processing, accustic and
visual sources of information and communicative systems are accessible when they
are accessible and usable for handicapped persons unaidedly, in the usual way
and without special difficulty."
Basically, accessible web pages aren't only accessible for the average user
at his desktop pc with the latest browsers. Web-accessibility is not only considerate
of the various utilities that handicapped persons use to perceive a web page,
but also of users with older browser versions or with special access hardware.
Some figures to give an idea of the size of this group (statistics from Germany):
10% of the male population is color-blind. Web pages with low contrasts
(eg. black fonts on dark-blue background) is for them practically unreadable.
"Press the green button to verify" is meaningless to them.
5% of the population is blind or visually handicapped. They use special utilities
and hardware like Braille-displays or screenreaders.
11% of the population is older than 65.
5% of internet users don't use Windows, but MacOS, Linux, PDAs or cellphones.
Numerous sites, especially large ones, still have up to 20% users visiting them through 4th generation Netscape
browsers.
If you don't only aim at gamer kiddies with 19" displays, you should start
thinking about whom you exclude with your killer design. A blind person for example,
who cannot use a company`s internet pages, will choose another vendor. But what
can a blind person do when his registration office's internet site is not accessible?
The Legal Side
Since May 1st, 2002, the ordinance for accessible information technology
(BITV) became effective. All federal institutions are obliged to make their internet
sites accessible - in the sense of the word used in this article. Governments are called to work out
similar state laws which oblige state and municipal institutions to follow accessibility guidelines.
BGG and BITV are based on the EU action plan "eEurope 2002", initiated
in 1999 and finalised in 2000 by the European Council. eEurope aims at 3 main goals:
A cheaper, faster and more secure internet
Advancement of internet use
Investment into persons and abilities
The latter comprises the participation in information technology of as big
parts of the population as possible. Summarised under the term "eAccessibility",
access to eCommerce, eGovernment and so on is to be made possible. This was to be
implemented with the adoption of the Web
Accessability Initative's guidelines.
Guidelines for Practical Use
Already in 1999 the World Wide Web Consortium (W3C) released the Web
Content Accessibility Guidelines 1.0 and made it quasi-standard for accessible
internet design. Since then many of the rules have proved too restrictive,
irrelevant, incomprehensible or simply not representative of the state of technology
anymore. Some of them even turned out to be not internationally applicable.
For these reasons a version 2.0 is in the making. Since v. 2.0 is still in development, this
text will only relate to WCAG 1.
The Web Content Accessibility Guidelines 1 are split up into 3 priorities:
Priority 1: A Web content developer must
satisfy this checkpoint
Priority 2: A Web content developer should
satisfy this checkpoint
Priority 3: A Web content developer may satisfy
this checkpoint
If you violate a regulation of priority 1, many people will be excluded. A violation
of priority 3 regulations excludes only few. There are 14 main regulations, with
the priorities attached to all of their subcategories:
1. Provide equivalent alternatives to auditory and visual content.
2. Do not rely on color alone.
3. Use markup and style sheets, and do so properly.
4. Clarify natural language usage.
5. Create tables that transform gracefully.
6. Ensure that pages featuring new technologies transform gracefully.
7. Ensure user control of time-sensitive content changes.
8. Ensure direct accessibility of embedded user interfaces.
9. Design for device-independence.
10. Use interim solutions.
11. Use W3C technologies and guidelines.
12. Provide context and orientation information.
13. Provide clear navigation mechanisms.
14. Ensure that documents are clear and simple.
There is also a W3C-list of suggested Techniques
for Web Content Accessibility Guidelines 1.0.
Testing Accessability
Several tools exist for testing the accessibility of your website:
http://www.w3.org/WAI/WCAG1AAA-Conformance
http://bobby.cast.org/
http://www.cynthiasays.com/
As a result you receive 3 levels of conformance:
Conformance Level "A": All Priority 1 checkpoints
are satisfied
Conformance Level "Double-A": All Priority 1 and
2 checkpoints are satisfied
Conformance Level "Triple-A": All Priority 1, 2,
and 3 checkpoints are satisfied
Internet sites of German federal instititions have to fullfil Double-A conformance.
Recommended is Triple-A.
Not only for handicapped persons
A main problem with accessibilty is that a web site must cater to the needs of two different interest groups: On the one
hand, handicapped persons that already have to use the latest browser version
in cooperation with their hardware and utilities, and on the other hand, users
with old browsers.
This problem is however a perfect focus area for the idea behind CMS-es: The separation
of content and layout. It becomes possible to detect the user browser client, and in a manageable way offer
a classical HTML 3.0 page or a modern HTML 4.01 page, with the same content.
Practically speaking, modern web design means above all to do without tables for layout
use. Tables have always been a crutch when it comes to creating layout, and more so today than ever.
Modern layout is created via CSS. A nice example of how accessible
design can be created can be found at http://www.inknoise.com/experimental/layoutomatic.php.
This also shows that accessible web sites do not have to be plain text.
Tables should only be used the way they were originally intended: For example
as an address table with columns and rows, column heads and so on. Used this way, also
the tools of blind persons can make sense of them.
Accessibility and Postnuke
Making a Postnuke site accessible is practically impossible: While themes can
easily be created with CSS, you will fail at the modules, which excessively
use hardcoded tables. Not until the introduction of the Xanthia Templating Engine
in Postnuke 0.8 will it be possible to make your site accessible for everyone.
Then you can start developing accessible templates for all API-compliant modules,
something which is currently possible only with third-party modules that use smarty, like
PostCalendar or pnCommerce.
Until then the possibilities are limited when it comes to making at least some of your content
accessible: The AvantGo module - originally designed to make the News accessible
for PDAs - can also be used for accessibility. There seems to be an extended
version of the Avantgo named Extravantgo, but during my researches the download
page was inaccessible ;-)
German version of this article: post-nuke.net
Generated on October 8, 2003.
-
Rogue Release Notes
(News)
-
as always I will manage to forget about 50 changes and 50 people that need to be recognized. My apologies in advance for that.
-- Permission System -- Jim McDonald. The new system gives you unlimited depth to "user groups". Gone are the days from having the separate admin and users system. The new system unifies these and allows you to give or deny special access to any user. You can deny certain areas of your site to an unregistered user, or the entire site altogether. You can also set your groups so that even when a user registers, they have to have their group access upped by a site admin. There are really quite a few possibilities now with the user system, that will only get better by the end of the Rogue Cycle.
Note, most third party plugins will need to be upgraded to the new system, hence the need for the preview. Any third party plugin that uses the admin will definitely need to be upgraded with the new permissions.
-- DB Abstraction -- Ryan and Pablo -- Ryan did the hard part with the original abstraction in PEAR, and then we changed directions and went with ADODB. The abstraction is done in a very professional manner and does not add much weight to the script. As Ryan went through the original time he also cleaned many of the queries that we were using, which has improved performance greatly! Pablo is now the ADODB expert, and has also written a great guideline for developing with ADODB and is posted in the sections on this site. We are hard at work to make the install file ADODB compliant as well, with Rogue.sql's coming for supported DB's very soon.
-- Multi-Sites -- Sebastien -- The long talked about MultiSites mod is here. What this does is allow you to run a single codebase with several different domains. We run it on this site, and it works quite well! All of the support sites and postnuke.com all run off the same single instance of postnuke codebase. This allows for very quick updates, and global changes through sites. It's also an excellent tool for ISP's or small companies that would like to offer hosting. Read the docs in the multisites module. Great work on this one!
-- Language tool -- Pascal -- For those of you that work hard on the translations for your PostNuke site, there is a new tool for you. The language module goes through and finds the missing defines in your language files and generates a report and a temp directory for you. It's a great tool, and I have just begun to play with it.
-- Wiki and bbcode -- Sebastien -- Still working on this a bit, but you can now use wiki code formatting with your article submissions.
-- Install writes to config.php -- Scott. A long asked for feature. The install file now writes to the config file during installation. This only works for fresh installs currently, but we will get it working for upgrades as well. With the install writing to the config file, we have also encrypted the SQL password and username, to harden security a bit.
-- MD5 Passwords -- Alley -- Now all passwords in the users table are encrypted with MD5. This is a much tighter security for you windows folks out there, and better than the old crypt method as well. Now with the admin table gone, your admin users have their passwords encrypted.
-- index.php redirection -- Tim (I hope I didn't forget who did this!) -- As you notice, the index page now doesn't redirect to the modules start page, it simply loads it. You still have the option of selecting your start page.
-- New admin schema -- Pascal -- Still a work in progress, but we are moving away from the multiple links / case / module files for admin modules. An example can be found in the language module.
-- Better theme arrays -- Jim -- I posted the doc on this yesterday, but take a look at the PostNuke theme for them in action. Very elegant code!
-- user.php modularized -- David. The new system is very much like the current admin system. David did a great job in modularizing the user.php file so now you can have custom user modules.
-- MPN Upgrades -- Michael -- Upgrades from MyPHPNuke now available, along with upgrades from PHPNuke 5.2 and 5.3.
Enjoy the first release of the Rogue Series. There is quite a bit more coming in the Rogue Series so fasten your seatbelts.
The ChangeLog can be viewed her
Generated on December 2, 2001.
-
Rogue Preview on the Streets
(News)
-
as always I will manage to forget about 50 changes and 50 people that need to be recognized. My apologies in advance for that.
-- Permission System -- Jim McDonald. The new system gives you unlimited depth to "user groups". Gone are the days from having the separate admin and users system. The new system unifies these and allows you to give or deny special access to any user. You can deny certain areas of your site to an unregistered user, or the entire site altogether. You can also set your groups so that even when a user registers, they have to have their group access upped by a site admin. There are really quite a few possibilities now with the user system, that will only get better by the end of the Rogue Cycle.
Note, most third party plugins will need to be upgraded to the new system, hence the need for the preview. Any third party plugin that uses the admin will definitely need to be upgraded with the new permissions.
-- DB Abstraction -- Ryan and Pablo -- Ryan did the hard part with the original abstraction in PEAR, and then we changed directions and went with ADODB. The abstraction is done in a very professional manner and does not add much weight to the script. As Ryan went through the original time he also cleaned many of the queries that we were using, which has improved performance greatly! Pablo is now the ADODB expert, and has also written a great guideline for developing with ADODB and is posted in the sections on this site. We are hard at work to make the install file ADODB compliant as well, with Rogue.sql's coming for supported DB's very soon.
-- Multi-Sites -- Sebastien -- The long talked about MultiSites mod is here. What this does is allow you to run a single codebase with several different domains. We run it on this site, and it works quite well! All of the support sites and postnuke.com all run off the same single instance of postnuke codebase. This allows for very quick updates, and global changes through sites. It's also an excellent tool for ISP's or small companies that would like to offer hosting. Read the docs in the multisites module. Great work on this one!
-- Language tool -- Pascal -- For those of you that work hard on the translations for your PostNuke site, there is a new tool for you. The language module goes through and finds the missing defines in your language files and generates a report and a temp directory for you. It's a great tool, and I have just begun to play with it.
-- Wiki and bbcode -- Sebastien -- Still working on this a bit, but you can now use wiki code formatting with your article submissions.
-- Install writes to config.php -- Scott. A long asked for feature. The install file now writes to the config file during installation. This only works for fresh installs currently, but we will get it working for upgrades as well. With the install writing to the config file, we have also encrypted the SQL password and username, to harden security a bit.
-- MD5 Passwords -- Alley -- Now all passwords in the users table are encrypted with MD5. This is a much tighter security for you windows folks out there, and better than the old crypt method as well. Now with the admin table gone, your admin users have their passwords encrypted.
-- index.php redirection -- Tim (I hope I didn't forget who did this!) -- As you notice, the index page now doesn't redirect to the modules start page, it simply loads it. You still have the option of selecting your start page.
-- New admin schema -- Pascal -- Still a work in progress, but we are moving away from the multiple links / case / module files for admin modules. An example can be found in the language module.
-- Better theme arrays -- Jim -- I posted the doc on this yesterday, but take a look at the PostNuke theme for them in action. Very elegant code!
-- user.php modularized -- David. The new system is very much like the current admin system. David did a great job in modularizing the user.php file so now you can have custom user modules.
-- MPN Upgrades -- Michael -- Upgrades from MyPHPNuke now available, along with upgrades from PHPNuke 5.2 and 5.3.
Damn, I know that I am forgetting a ton of new features (Probably big ones!) but my fingers are killing me now. Documentation on the permissions can be found in the online help screen in the admin. Be careful setting up your permissions! Documentation for developers for Rogue themes, modules, etc can be found on the sections in this site and Steve has also been adding documentation to the official documentation site. Enjoy the preview!
The ChangeLog can be viewed her
Generated on November 26, 2001.
-
Mutant Dot Sixty-Four Released
(News)
-
asked to assemble a change log since the last release. That change log can be viewed here. As you can see it is pretty extensive.
What we have done is added quite a bit behind the scenes that will probably be transparent to you. However, the performance should be something that you will find at least a little better. I am going to list just a small portion of the changes (mainly because my memory is going, and I can't remember everything we have done in the past month).
New Language System -- Credit to nexia, adam_baum, and Sam Luxford-Watts. I've already left out a message on the new system last week, but this is pretty impressive to announce again. There is now a very small global file, with several files that are only used on specific page views. What this means to you is that on a normal pageview instead of your server parsing a 100k file, it is only parsing a 10-20k file and then the specific translations for that page.
Remember, there are some negatives, mainly that all the previous translations have to now be re-done. Work has already began on that and there is now 2 language files on SF (German and Thai) by Jan Hübener and Prateep Kulapalanont. It's a start, and as folks send me translations I will add them to our SourceForge page.
New Admin System -- Credit to Patrick and adam_baum (hope I'm not forgetting anyone here!) Goes hand in hand with the language system. We had to have a solid way of using file specific translations and this is what we came up with. This also goes a very long way to making the modules system a true plugin system, where all you have to do is drop the modules that you want to install in a single folder.
New Install File -- Credit to dacia and Micheal. Michael cleaned the mess that we had made with the install file and made it a modular system. It is very fast now, as well as a little nicer to look at, with a little easier directions to follow.
Text Santitizer -- Credit to Michael again -- This is a system that myPHPNuke has been using for quite some time. We have integrated it into PostNuke, because quite frankly, it works better than what we were using. With that system, we are also close to having a myPHPNuke upgrade file to being released.
Include_Once problem -- Credit to Patrick -- There were some problems with the previous release because we were using include_once commands for our mainfile.php. Patrick solved the problem with a custom function so the script should now work with all builds of PHP4.
AutoLink enhancements -- credit to Jens -- Jens made quite a few enhancements to his already great system of autolinking. This system is now a bit more user friendly, but also takes the place of the article.php key word linking.
Ability of choosing custom start page -- credit to Sascha -- A very popular request that we listen to. You can now choose the page that you want to be displayed on your index page. Very cool feature.
image consolodation -- nexia -- nexia trimmed the images that were no longer used out of the system to make the download of the package a little more reasonable
Sebastien has also done quite a bit towards running multiple sites off of one codebase. There are still some problems to iron out with that. Jun, besfred and Sascha also deserve some mentioning here for some of the wonderful work behind the scenes. They have all been working very hard on securing the script as well as some very nice performance enhancements. Let's also not forget Isaac and his work in the chat room with the support. Real nice job there, along with everyone else that is helping out!
I apologize to all the people that I didn't mention on this post. Everyone has done a woderful job, but my fingers are about t
Generated on October 8, 2001.