> > That sounds awfully low for Postnuke. Doing a quick google search of > > postnuke security fixes and just looking at different releases.. > there > > should be about 20 with some amount in core and a lot in plugins. My > > information about the current state of PostNuke is not good. I am > > betting that they are doing a lot more for security but a number of 4 > > problems just was too low for the amount of systems I have had to > > 'clean' since 2002. 2002 was a _very_ long time ago in PostNuke development - though I accept there are some sites on the web that haven't been updated since then. I can safely say there is virtually 0 lines of code left from 2002. If you must include PostNuke, please do so only for the .760 version and above - all prior versions bear absolutely no resemblance to the current codebase at all, even .760 is only 25% like Zikula. Having been closely involved with the project for almost 7 years, I can say that the figures above are certainly accurate for 2008, and you won't see many more in 2007 either. All the security advisories I have seen were for legacy code which has been completely removed from Zikula now. As I've said before, Zikula 1.0 has been reviewed both by automatic security tools (which gave Zikula a very favourable report compared to the competition) and by a security expert who has reported many security vulnerabilities in PHP CMSs over the years - and he didn't find any of the usual vulnerabilities like SQL injections. I'd also encourage anyone with a knowledge of PHP to take a look at the code. You'll see the culture of using the APIs is incredibly well spread to our extension developers, so that no one makes direct access to GET and POST, our database library automatically cleans variables before SQL queries and we have both input and output filters against XSS. Finally, we also have some advanced features like form tokens (to protect against CSRF), cookie signing, session regeneration etc that I haven't seen in (m)any other CMSs at all. Seriously, I can accept that PostNuke in the dim and distant past had its issues, mainly due to its heritage, but I can't remember the last time I saw a vulnerability in any API compliant modules or the non-legacy parts of the core itself. Zikula has had 0 since its release almost 8 months ago. > > :( We haven't even installed it yet and the honeymoon is over? Just > curious, what kind of problems did you have? Script kiddies or > targeted > attacks? > > We have options with mod_security as well. I do want to make sure we > have > ourselves covered. _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
