-
Sitemaps Autodiscovery
(News)
-
Comprehensiveness and freshness are key initiatives for every search engine, and with autodiscovery of sitemaps, everyone wins:
· Webmasters save time with the ability to universally submit their content to the search engines and benefit from reduced unnecessary traffic by the crawlers
· The search engines get information with regards to pages to index as well as metadata with clues about which pages are newly updated and which pages are identified as the most important
· Searchers benefit from improved search experience with better comprehensiveness and freshness
In addition, Ask.com is now supporting submission of Sitemaps via http://submissions.ask.com/ping?sitemap=SitemapUrl.
Of course, neither autodiscovery nor manual submission guarantee pages will be added to the index. The pages must meet our quality criteria for inclusion in the index. And use of these submission methods does not influence ranking.
I will be talking about today’s announcement (along with my counterparts at Google, Microsoft and Yahoo!) during the SiteMaps and Site Submission session at SES in New York later this morning. If you aren’t able to join us, more information is available at http://www.sitemaps.org and http://about.ask.com/en/docs/about/webmasters.shtml#22.
We are excited about our participation with the Sitemaps via robots.txt protocol and look forward to our collaboration with Google, Microsoft, Yahoo! and others in furthering important initiatives that make search easier for webmasters and more powerful for users.
Source: http://blog.ask.com/2007/04/sitemaps_autodi.html
Generated on May 3, 2007.
-
Development Update, March 2007
(News)
-
Dot 8 evolving: language files progression and legacy functionality
Thanks to the testing of the community users (yes, YOU!), some legacy functions (residing in /includes/legacy/ have been updated by Simon to solve some bugs. This is another proof that we do need everyone to test the releases and help not only yourself to make this release a success! The following files have also been marked 'deprecated', with an accompanying comment in the DocBlock: admin.php, backend.php, banners.php, error.php, modules.php, print.php and user.php. These files shall be removed in the next (post-dot8) major release.
The overhaul of language files has also applied to the Groups, Theme, Users and Profile modules. These modules now have better multilingual options and (by using the pnML function), making it a lot easier to translate the package and showing better logic in grammar for localisations. Furthermore, lots of open bugs have been solved and the templates have been revised also. For example, the emails sent by the Users module can now be adjusted by just editing a template!
David Nelson has offered to completely review the language files for dot8, and we all have to thank Olaf Fichtner for helping revamp the current language constants. The PostNuke Languages Project is actively following the development!
Important change in the language strings is the use of the _CREATEDBY / _CREATEDON and the _UPDATEDBY / _UPDATEDON constants. For better support in other languages, these are replaced by the following:
'_CREATEDBY', 'Created by %username%'
'_CREATEDON', 'Created on %date%'
'_CREATEDBYON', 'Created by %username% on %date%'
'_UPDATEDBY', 'Last updated by %username%'
'_UPDATEDON', 'Updated on %date%'
'_UPDATEDBYON', 'Last updated by %username% on %date%'
and can now be accessed through the normal pnml plugin in the templates.
System modules: pnForm and PageLock
Jørn has moved the pnForm framework to it's own module location within the system directory. Major reason for this is to properly save some pnForm specific javascript and style files. Usage of the module should be quite the same. In addition, some new context menu plugins have been added. These plugins create a popup menu to be used as a right-click context menu. More information can be found in the added files in the pnForm plugin directory, and at the pnForm Wiki Pages.
Also introduced by Jørn is a new system module. The PageLock module is a module that helps enforcing single user access to a specific page, by blocking access to other users when one has it open.
Example: User A opens article X for editing. This is registered on the server. User B tries to open article X for editing too. But as soon as the article editing window is opened, it is overlayed with a transparent dark film and a box in the middle tells the user "Sorry this page has been locked by user A - please wait or come back later".
Functionality: The lock is maintained by an Ajax plugin that keeps pinging the server as long as user A keeps the editing page open. When user A closes the window then the pinging stops and the lock times out. If user B chooses to wait then his page keeps pinging the server for the release of the lock (also Ajax) - and when that happens he gains access to the page. The module can be used on all pages that edites a single item - articles, user data, news items, book pages, permissions settings - you name it.
To use this system, a module author has to use API calls in their own code for adding or releasing a block: pnModAPIFunc('PageLock', 'user', 'pageLock', ...) and pnModAPIFunc('PageLock', 'user', 'releaseLock', ...). To see al this in action, grab the latest nightly snapshot and play around with the HowtoPnForm module: edit a recipe in one browser, and try to edit the same in another browser.
ValueAddons modules: Members_List and EZComments
The Members_List module has been revised by Mark West, with some added configuration options. It is now possible to set the number of (allowed) registered users, and some new blocks (featured user last seen and last x users) have been added. Check out the latest nightly build to see the functionality and options.
Mark has now finished the integration of categories into the user side of the Reviews, Pages, FAQ and News modules. This way, migration of .7x categories into the new Categories module is now supported and can be tested by our users who want to upgrade their .7 site to .8.
Finally, there have been added configuration options for categorization and category titles in the permalinks with these modules.
One hot issue at the moment is the increasing amount of spam that is on lots of websites at this moment. More and more features are to be found on the internet to prevent spam showing on your site. Akismet / Bad Behaviour are one of these. As some already know, Akismet has been applied in EZCommnents for a while. For testing purposes, Mark has implemented a bad behaviour (http://www.bad-behavior.ioerror.us/) function also for testing purposes (as Steffen has found that this could also be a good application). It does need some code hacking to pnApi.php at this moment, so only advanmced users willing to help integreating this feature are invited to test this and report any iussues to the EZComments tracker at the EZComments NOC project page.
Core and API: ThemeUtil and Categories
The pnTheme system has now been converted to the ThemeUtil class. With this conversion, all occurences in the core were updated too. Both the old and the new file are loaded in pnInit for backwards compatibility, but the old file (onTheme) and its functions are now marked as 'deprecated' and will be removed in the next major release.
Also added to the new ThemeUtil is a getModuleStylesheet method which contains the logic from the modulestylesheet plugin. You can do PageUtil::addVar('stylesheet', ThemeUtil::getModuleStylesheet('modulename')) to include the value of pnModGetVar('modulename', 'modulestylesheet') or style.css (in this order) or PageUtil::addVar('stylesheet', ThemeUtil::getModuleStylesheet('modulename', 'special.css)) to include the special.css file in your rendered page.
While unnecessary for correct functioning of the website, one is now allowed to turn off session regeneration completely. This is added because it may be helpful with a couple of undecided bugs in the tracker at the moment.
Module Development: information for 3rd party Devs!
Axel introduced a very nice application called EasyDist. This allows you to create your own PostNuke package easily. You can find it at modulestudio.de. It is still in a very early stage, but you should get the idea. This is all still in development fase and is just for testing purposes at this moment.
A preliminary for the (automatic) creation of packages using EasyDist is that module authors package their modules in a standard way. Right now, there are different file structures in the ZIPs or TGZs the authors distribute. We came to the conclusion that the preferred file structure inside the archive should be - modules - MyModule - pnuser.php etc so that an unpacked archive could be copied inside the pnroot. More information is in t
Generated on March 21, 2007.
-
Development Update, February 2007-02
(News)
-
release, and some is part of the current nightly build from SVN. The items that are part of the MS3 package are indicated with a (*).
Installer and upgrade path
The installer for .8 now also checks for a web-user writable pnTemp directory. Before, only it's subdirectories had to be writable. However, more and more modules need a (temporary) writable directory of their own (for example cache directories for image creation or rss feeds). With a writable pnTemp, these modules are now easily allowed to create that directory themselves if it does not exist. (*)
The upgrade path from the historic .7 family has been updated: Some code has been added to migrate blocks placements into the new block_placements table. (*)
Furthermore, old style (legacy) blocks can now be stored in the /config/blocks directory. The specific files do need to be copied manually from the old /includes/blocks directory to it's new location. (*)
Core (API) and environment variables
In the core pnAPI, get_magic_quotes_runtime() was called lots of times for different purposes. With an internal caching method, the result is stored in the global PNRuntime array. Big advantage is that the site's speed has been significantly improved. (*)
Robert has added an enhancement to allow the pnSessionGet/Set/DelVar functions to accept an (optional) path argument (arguments 'autocreate' and 'overwriteExistingVar'). This will allow for easy setting of complex array structures. The change only adds extra arguments to the existing functions and are backwards compatible. At this moment, no direct usage has been committed yet.
PostNuke Object library
At this stage of development, a lot of changes are (and have been) made to the object library. Most of them are 'simple' bug fixes, but some changes are worth mentioning here (additional functionality or changed methods).
In the DBUtil class, there now exists a new method to increment a field with the function incrementObjectFieldByID. This can be used by module authors for updating read counts of content items for example. (*)
Additionally, the function selectScalar has been added (which takes a SQL quesry as argument). This is mostly useful for places where you want to do a "select count(*)" or similar scalar selection.
The utf8 conversion functions (convertFromUTF8 and convertToUTF8) have moved from AjaxUtil to DataUtil when solving a bug to keep the users input in Ajax driven fields as they are intended.
While solving a Google AdSense script bug, where the script tags were automatically cleaned by the safeHTL output filter, a new feature has been added to FormUtil: Before cleaning posted input on an already installed site, the FormUtil now checks if the current user has overall admin permissions. This allows site admins to input potentially harmful tags (javascript for example), but it's their site after all!
Jörn has improved CSS style handling in pnForm plugins, as he has changed some pnForm classes to be derived from pnFormStyledPlugin, which in itself is derived from the original pnFormPlugin.
Because it's better to read the languages directory first for available languages and compare that result against the full list of languages in stead of the other way around, the LanguageUtil has a new function getInstalledLanguages. This now significantly reduces the number of directory checks.
To ensure that most commonly used plugins are found as early as possible, the order in the pnRender class, where the system is searching for plugins, has been modified. The current correct order for the 0.8 distribution is:
system/pnRender/plugins
system/Theme/plugins
config/plugins
current theme-directory/templates/modules/$module/plugins
current theme-directory/plugins
current module-directory/pntemplates/plugins
Furthermore, two new variables can be added to the rendered output page using the PageUtil class. First is 'description', which is default set to the current site slogan. Second is 'footer', with the ability to add custom content just prior to the closing body tag. The latter function is applied as an outputfilter.
Finally, an additional parameter 'display' is added to the pager plugin, which can be set to either 'page' or 'offset'. This is (why am I explaning, isn't this rather self-explanatory?) to allow paging by pages, rather than offsets. It also mirrors the 'show' parameter that exists in many templates (based on the example module) but was never actually implemented.
Last but not least, the Theme class has now added support for a filters section in a page configuration file. This allows for loading of, in the first instance, custom output filters. Note there is no user interface to the functionality the moment.And, why not, the Atom theme has been updated to Atom 1.0
Module modifications
The following modules have been updated for improved .8 compatibility, or just to make administering those modules easier.
The User module now has the long awaited alpha pager for browsing users. (*)
All occurences of the block rendering APIs (read by the Blocks module) have changed from the old style call "return themesideblock" to "return pnBlockThemeBlock". (*)
To the Settings module there has been added a configurable separator for permalinks (*)Furthermore, a switch to globally disable JS Quicktags (which adds a set of buttons for common html tags to enabled textareas) is now part of the Settings module. (*)
Both the Ratings and the Multisites module are modified to meet the new standards of coding and templating. Work still needs to be done to both modules, so testing functionality for these modules may not be that worthwhile as yet. (*)
The Theme module takes over from the Xanthia module in an upgrade. This doesn't mean that it is not Xanthia anymore: it still is actually the Xanthia 3.0 engine (*).
To the Recommend_Us module a display hook has been added. This will add a list of social bookmark links, like the Diggers plugin also does.
Language files overhaul
The language defines in some modules have been reviewed and adjusted to the naming conventions of .8 (see also Dev Update 2006-06). This means that module-specific language defines start with a module-name specific prefix. Additionally, some new general language strings (using the pnML function) have been added to the core language file. The major effect this will have is to subtantially reduce the number of strings that need translating.These changes are applied to the following system modules: Admin, Admin_Messages, AuthPN, Blocks, Mailer, legal, Settings and SysInfo. ValueAddons modules will follow later.
PostgreSQL DBMS testers wanted
The .8 DBUtil class, as mentioned many times before, makes it possible to run PostNuke on different DBMS platforms, like PostgreSQL,
Generated on February 20, 2007.
-
Development Update, January 2007-01
(News)
-
be productive and succesfull for all of us. And of course: a finished .8 version of PostNuke is something we are all waiting for.
MileStone 3 is waiting around the corner: A feature freeze so far has speed up the progress and only a few bugs are blocking a release. The next development update will probably be submitted after the MS3 release.
OK, here goes!
API functionality
Introduced is a pnShutDown function to gracefully terminate the application framework. This now replaces all use of exit or die and also fixes some oddities caused by PHP's shutdown process.
Mark has replaced all old themesideblock function calls with newer API call pnBlockThemeBlock. Furthermore, he has added a raw text option to the PageUtil::registerVar (former pnPageRegisterVar) system.
The AjaxUtil is now using internal json_encode() if PHP >=5.2.0.
Object Library and classes
For the SessionUtil / RandomUtil, Drak has put his hands on improving the randomness in the generation of the AuthKey and passwords. This is done by extending the possibly characters used, and the length of the key (length also now being random).
Also, the AuthKey generation makes now use of the (updated) RandomUtil class. A big advantage is that the random data generation is done in one place, so a change will affect the complete system. This is actually with the complete Object Library: changes can be made in one place with the benefit that all calls are updated.
The DBUtil has now a renameTable method and a renameColumn method for easy manipulation of table properties without having to worry about SQL code. The latter (renameColumn) is a quite new function, so there may be some adoDB bugs.
Finally, pnPage.php is converted to the PageUtil class. This means that any 3rd party module developers should update their modules to make use of the new class. A call to (for example) pnPageSetVar('title', $title_var) must be updated to PageUtil::setVar('title', $title_var). The pnPage.php does not remain for backward compatibility. Examples for the needed changes can be found in SVN submission 21099. The Wiki documentation for Page variables still needs updating however.
pnForms: functionality and documentation
Jørn has been updating the pnForms toolkit extensively. Most important is hat the documentation in the files is more complete, and the Wiki documentation page has been updated. A summary:
Added authkey checking to pnForms.
Added min/max validation for integers.
Changed "classHtml" to "cssClass" in "pnForm" plugin for consistency with the other classes.
Added a language selector "pnFormLanguageSelector".
and much more...
All plugins now render unknown parameters "as is", so you can add "onclick" and such like that the system doesn't know of.
System modules: Categories, Search and Blocks
In the Categories system, there has been added support for a 'field' parameter.
The search module is as good as finished, and also displays a sum of all search hits too. An additional parameter is added to allow for searches that aren't going to be performed on a DB. Finally, it is now possible to search in RSS feeds.
The Blocks module has been updated, and now has a user friendly functionality for drag-drop between block positions and placements in one screen. This is done with Ajax technology (thanks Frank for simplifying and enhancing this), so javascript should be enabled to use this (non-js fallback available). Furthermore a XML/XSL block has been added (a generic xml/xslt block and modifier).
ValueAddons modules
Faq: implemented custom short url handler and permalink structure
News: implemented cache handling
Feeds (was RSS): implemented categorisation in admin panel, added short url handler, added title field.
Also, the RSS module is renamed to Feeds to better reflect it's purpose and to prevent clash with rss theme when using directory based URL's.
TinyMCE: Upgraded tinymce to v2.0.9
Reviews, Referers, Stats: Converted to API and pnRender compliant module, updated table management code.
pnRender Plugins
Mark has added an output filter in order to auto-magically title the administration pages, which makes navigation a bit easier.Also, A
Generated on January 21, 2007.
-
PNSA 2006-3 - PostNuke Input Validation Vulnerability
(News)
-
Severity
Critical
Impact
Directory Traversal
Vulnerabilities
Directory traversal vulnerability in error.php in PostNuke 0.763 and earlier allows remote attackers to include and execute arbitrary local files under certain circumstances via the PNSVlang session variable which is included by error.php.
Credits
Kacper
Solution
Users should immediately update to 0.764. PostNuke versions 0.764 and later are unaffected.
PostNuke 0.764 Downloads
see Release Announcement.
Andreas Krapohl [larsneo]
PostNuke CMS Development
Generated on November 21, 2006.
-
Development Update, November 2006-05
(News)
-
New teamlist member: Ammodump
Ammodump was asked to join the team. As quoted from his introduction in the team: "I enjoy being a community member, and that often my comments hold weight. Sometimes my comments and advice are misguided, but sometimes it is hard to understand others questions ;-) ". With two main hobbies (PN and beer), Ammodump seems to be born for the support team here at the community website.
Remote code injection problem
As some people already know, there is a remote code injection problem with the language parameter as mentioned in the Feedback Forum. Both the .7 and the .8 versions have been updated to fix this security vulnerability, so everybody is urged to upgrade their PostNuke version to the latest release (see also Release Announcement). Some background information: The FormUtil::getPassedValue() function also accepts an input vector GETPOST now. It allows to ensure that the contents of _COOKIE are not taken into account when you get data (as it would be when you go through _REQUEST). The input domain is limited to _GET and _POST and not through _REQUEST / _COOKIE anymore. This is applied firstly to the newlang and thistheme parameters, and has been (and will be) applied to the rest of the core functions additionally.
Session handling
Some features have been added to the session handling in the core system:
Session id regeneration (random and on login/logout), making it even more difficult to hijack a session. This has been achieved without any extra writes to the database, so the feature has no overheads.
The ability to rename the session variable (always was POSTNUKESID), and changing from session file storage to session db storage has been enhanced.
Auth-id check to the user login screen (and block) - this has introduced a login bug which has been entered into the bug tracker and will be fixed by the release of MS3.
The session regeneration options are available in the (upgraded) Settings module.
Also fixed for both the 0.764 release as well as the 0.8 release are some PHP >= 5.2.0 issues due to session handling (See the forums, credits to fredatwork). It seems to solve the problems with PostNuke installations running on 5.2.0 or higher.
Minimum MySQL and PHP versions
The minimum version for MySQL has been raised to 4.1.x, due to some installer problems that are related to old 3.x databases. See also MySQL's lifetime philosophy at Planet MySQL. Due to security reasons, the recommended minimum php-version is at least 4.3.10.
Installer
Now fixed are some install problems with register_globals ON. In addition, there has been added a check for register_globals at the .76x install process for information only. The installation of PostNuke on these environments is nevertheless still possible. Sync with the .8 installer is to be done.
System and core modules
The internal variables statusmsg and errormsg are now arrays: it is now possible to capture (and display) multiple errors. Therefore, pnGetStatusMsg() is renamed to pnGetStatusMsgs() and LogUtil::getStatusMessagesText().
Float handling returns from Ajax has been discussed within the team. It appears that floats in the Non-US locales did not correctly set the decimal delimiters. Therefore, the locale has been set to en_US to ensure this. A solution for writing floats to the DB is still pending.
Robert has added the encryption / decryption methods, using the mcrypt library function, for use in the API.
In the Theme module, the plugins for showing the sitename, slogan and complete title have been altered to use multilanguage support.
The Settings module has some nice dynamic interface elements added to the Security and General function types, increasing useability in this one.
The magic_quotes_gpc recommendation for .8 has been changed. It should be off in stead of on. According to php security group, this feature is inconsistent in blocking attacks, and can in some cases cause data loss with uploaded files. Besides the revert of magic_quotes_gpc recommendation, the SysInfo module now also checks for allow_url_include (new in PHP 5.2) and the suhosin patch/extension.
Finally, all variables retrieved through FormUtil::getPassedValue() are now cached
ValueAddons modules
The Pages module now displays the category that each page belongs to in the overview.
The Error module (or Error handler, where error pages within PostNuke are handled) has been undergoing some changes. System errors, forbidden / not-found errors and specific API errors have their own templates and level of error reporting. A no-auth error will result in a more suitable 403 response rather than a 200-response with a status message. As a result, a lot of code has been altered to correctly use the new Log- and Error message handling.
The Wiki module has been renamed to more suitable 'Wiki_Code', as this module is a transform hook to enable Wiki formatting in content items.
The ExampleObj module has been reviewed, revised and updated by Robert. It should serve as a good example for any module writers
Generated on November 20, 2006.
-
PostNuke 0.800 Milestone 2 Released
(News)
-
Those wanting to use categories in their modules can build off the quotes module.
The quotes module supports multi-categorisation, one of the major changes from MS1,
and use of the categories system has also been implemented in other core modules.
We encourage third party developers to use this system for its ease of use and
centralised approach, which is important to both developers and site administrators
alike.
PostNuke 0.8 MS2 should also be the fastest PostNuke release yet. A further query
has been removed from the sessions code, reducing page load times, and this coupled
with the new theme engine and further enhancements across the core should result in
favourable page load times compared with .762.
A great deal of progress and a number of important changes have been made since the
release of MS1 earlier this year, so your testing is appreciated, but MS2 is still
not suitable for a production environment.
As ever, please report bugs to the
Bug Tracker.
Generated on September 29, 2006.
-
Development Update, September 2006-02
(News)
-
Design Team
In the past we've discussed the option of having an official 'design team' to work on the core templates and themes. The aim for this team is to enhance usability and aesthetics of the core PostNuke distribution, add further template improvements, write a dedicated admin theme and maybe write an official styleguide for module developers. This idea has been brought up again and the search for members for this team has been started.
Changing the Module names
A mechanism has been added to allow module developers to rename their modules while retaining the existing module id. Before, the modules db had to be handled manually and documentation covering how to rename the module had to be written. Or users had to backup data and then remove the old module and add the new one. In short: "Who wants to do this?"
So you can now add your old modulename to an oldnames-array in pnversion.php and the modules module will detect the relationship between the two modulenames, updating the database accordingly.
The rationale for looking at this now is that there exist a few modules that have misleading or confusing names. Also, the development team would like to encourage module developers to drop the pn prefix for modules. An exception for this are the modules that also exist as a stand alones, like pnWikka, pnMantis, PNphpBB2, ...
For renaming of tables, the a module author can raise the version number and write the appropriate "copy code" for his tables.
Icon sets
The aim of the pnicon plugin is to have multiple icon sets in the future without worrying about image filenames like when using the pnimg plugin. The pnicon loads the icon set config.php file, and selects the filename of the image by a 'type' parameter passed to the plugin.
Comment Spam
In the last couple of weeks, many posts have appeared on the community forums about spammers that login and post comments with their credentials obtained from the user registration mail. To prevent this, a check has been added for the useragent during registration at the User and NewUser module, which is an additional protection against spam-accounts by PERL agents like lwp and libwww. Of course, this is not a guarantee that these kind of registrations do not happen ever again, but it should at least help to prevent it.
Also (but still in test phase), optionally a question can be added to the registration process (comparable with the anti-spam option in formicula 1.0). This Q/A combination is freely configurable in the user administration.
For more information, discussion and Proof of Concept, please visit the forum.
System updates
The Profile module has now enhanced client-side (using prototype-driven validate.js) and server-side (to show messages on the same page) input validation.
The Extended Menu Block supports sorting via drag&drop (using scritaculous) and a utility link is also present in the menu to automatically add the current URL to the extended menu block. This is of course restricted to administrators only. It is also planned to make tree menus using this block.
The categorisation within the Admin area has been changed to a more logical sense. There now exist 7 categories:
'System': Admin Panel, Mailer, Modules, Settings
'Layout': Blocks, Themes, pnRender
'Users': Permissions, Groups, Users, Profile
'Content': Admin_Messages, Categories, legal, Search, blank
'3rd-party': Empty categorie for newly installed modules
'Security': SecurityCenter, SysInfo
'Hooks': Censor
ValueAddons updates
The Sections module has been renamed to the (more suitable and logical) Pages module. Intuitively, this module does what one might guess: serve static information on different pages.
The Top-List module is currently hardcoded to working with just the core modules, and planned is to move it to some sort of plugin architecture (using special plugin API files and call specific functions in them). This is in progress.
Miscellanious updates
We now have a html installation guide with a CSS based on http://community.postnuke.com, and an html upgrade guide is separated from it in its own document. Second, the legacy file config-old.php is removed from the repository. Furthermore, there were some problems when adding the pnTemp directory in config.php as an absolute path. This has been fixed in the current SubVersion repository, there shouldn't be any problems now. Finally, the sessions table is now smaller and session processing should be faster as one SQL query was removed per page-load. Users are now notified when their sessions have expired. This was previously done silently by the garbage collection (GC) routine which meant that a user could also remain
Generated on September 4, 2006.
-
0.8 Development Continuted...
(News)
-
New Blocks Module
The new blocks module designed to work with the recoded Themes engine has been committed to CVS. This new module, while fully working will probably undergo some enhancement before the release of .8 MS1 with use of the new Ajax library a priority. All block management is now fully integrated with the Blocks module, from block position tags to assigning blocks to block positions. Despite these new additions, the block management interface remains fairly simple and intuitive, improving usability over the .7x block control system.
PostNuke Ajax Framework
Also newly committed in the past few days is the PostNuke Ajax framework. This framework is already in use within the Permissions module as a demonstration of what can be achieved. PostNuke's Ajax implementation is based around the prototype.js script and script.aculo.us libraries, which as well as providing nice visual effects are fairly easy to implement for the module developer. This framework was made possible in .8 through core changes to the pnInit() function, which can now be passed a parameter determining what parts of the core should be loaded. In the case of an Ajax framework it is important to limit the initialisation process to an absolute minimum of components for performance reasons. Again, with this in mind each module that wishes to use Ajax functionality should use a new Ajax entry point 'pnajax.php' in their modules. This reduces the number and size of files that are loaded with each Ajax call, but does not prevent you from calling other functions in your module should you require them.
Full documentation on how to use the Ajax Framework should be available with the final .8 release, however in the meantime developers are invited to update their CVS copies and look at what has been achieved so far.
Permissions Module Ajax Enhancements
For some time now, the Permissions module interface has been far from ideal, especially on sites where you have large numbers of permissions. In this situation, the PostNuke Ajax library can be put to very good use, as demonstrated by the demonstration currently in CVS. It is now possible to order permissions through a 'drag and drop' interface, create new permission rules, and also test any permission you have written through an easy to use interface all without reloading the page. Furthermore, you can filter permissions by group for an easy review of a single group's access rights on your website.
We anticipate that the Ajax libary can have many more uses across the codebase for .8, and over time these will be implemented. PostNuke now has a solid Ajax framework upon which third party developers can begin to develop their own Ajax-based modules for use with .8.
Use of pn-clearfix Class in Module Templates
For the new Ajax tableless module administration layouts to work correctly in tableless themes (such as the andreas08 theme in CVS) use has been made of a pn-clearfix class. This has been adapted from positioniseverything. While these changes were prompted by the introduction of Ajax sorting to lists in CVS, the class can be applied in any relevant situation.
Module Dependencies System
With the increasing use of hooks modules across the codebase with the advent of complete API compliance, it was necessary to introduce a dependencies system to PostNuke .8. This system allows modules that support or require particular hooks a way of informing the user of this requirement. In PostNuke .8, the core system will inform site administrators if they are lacking a module which can add functionality to their site. Additionally, the system prevents conflicting modules being installed together. It is up to module authors to set module dependencies in their pnversion.php file, stating a minimum and/or a maximum version required. An example of this is in CVS, in the form of the pnCategories pnversion.php file. When the .8 MS1 release is available, module authors are encouraged to look at this system and use it to their advantage when creating modules in the future.
New Password Hash Methods
Through the .8 PostNuke User's module it is now possible to choose the hash method in use on your site. The addition of both SHA-1 and SHA-256 encryption can add security in sensitive environments, and additionally the ability to change hash method can help when integrating PostNuke with other applications. The hash method changes have been implemented in such a way as to ensure you can change hash method at any point, you are not tied to a particular hash method at installation time.
Session Security Enhancements
More security options for sessions in PostNuke .8 are now available. You can now choose whether to sign cookies sent by your website, decide how long forms on your website should be valid for (through the authkey timeout) and finally enable IP checks to ensure session IP addresses do not change mid-session, which can occur if multiple people use the same account. PostNuke also now supports the setting of a secure host name for HTTPS, if your site does not support HTTPS through its normal domain name.
Site Disable Functionality
When disabling your site in .7x it was important to remember to stay logged in, or you would be locked out of your site with the PostNuke Swiss Army Knife as your only way back in. In .8 this changes, now an admin logon form is available on the site disabled screen to allow you to get back in to a disabled site.
In Closing...
At this stage, many of the key features of .8 are nearing completion, and we remain on track for our target Milestone 1 release
Generated on April 5, 2006.
-
PostNuke Security Advisory 2006-1
(News)
-
VULNERABILTIES
Arbitrary SQL code execution via adodb (when db-user is 'root' without password)
SOLUTION
It is recommended that all admins check for the following files and folders and remove them if found:
/includes/classes/adodb/server.php
/includes/classes/adodb/cute_icons _for_site
/includes/classes/adodb/PEAR
/includes/classes/adodb/contrib
/includes/classes/adodb/session/old
/includes/classes/adodb/tests
Securing the whole /includes/classes directory from web access provides an extra layer of security, by protecting against potential as-yet undiscovered security risks in libraries.
The following .htaccess file, placed in the /includes/classes directory, will secure the directory (Download):
order allow,deny
deny from all
The main packages have been updated, the hash sums for the PostNuke CMS Platinum Edition 0.761a are:
PostNuke-0.761a.tar.gz
MD5: 0610c53c4bed0311862ccf422a68d6a5
SHA1: 0006f488cdb6ea53e532d9754a88fb17987a3a8c
PostNuke-0.761a.zip
MD5: e82bd983901e27e44ab8f82cc359dd00
SHA1: 3432699ded203a1b1fb2cdb6b1fab6cdbd367a4a
Download from downloads.postnuke.com
CREDITS
The exploit was originally discovered by Secunia (http://www.secunia.com), additional informations were given by Maksymilian Arciemowicz (http://www.securityreason.com)
REFERENCES
secunia.com/advisories/18260/
phplens.com/lens/lensforum/msgs.php?id=9350
Andreas Krapohl [larsneo]
PostNuke CMS Development Team
Generated on January 9, 2006.