[Fwd: Re: CMS Option: Zikula]
Simon Birtwistle
simon at zikula.org
Fri Jan 30 08:38:33 UTC 2009
> > That sounds awfully low for Postnuke. Doing a quick google search of
> > postnuke security fixes and just looking at different releases..
> there
> > should be about 20 with some amount in core and a lot in plugins. My
> > information about the current state of PostNuke is not good. I am
> > betting that they are doing a lot more for security but a number of 4
> > problems just was too low for the amount of systems I have had to
> > 'clean' since 2002.
2002 was a _very_ long time ago in PostNuke development - though I accept
there are some sites on the web that haven't been updated since then. I can
safely say there is virtually 0 lines of code left from 2002. If you must
include PostNuke, please do so only for the .760 version and above - all
prior versions bear absolutely no resemblance to the current codebase at
all, even .760 is only 25% like Zikula. Having been closely involved with
the project for almost 7 years, I can say that the figures above are
certainly accurate for 2008, and you won't see many more in 2007 either.
All the security advisories I have seen were for legacy code which has been
completely removed from Zikula now.
As I've said before, Zikula 1.0 has been reviewed both by automatic security
tools (which gave Zikula a very favourable report compared to the
competition) and by a security expert who has reported many security
vulnerabilities in PHP CMSs over the years - and he didn't find any of the
usual vulnerabilities like SQL injections. I'd also encourage anyone with a
knowledge of PHP to take a look at the code. You'll see the culture of
using the APIs is incredibly well spread to our extension developers, so
that no one makes direct access to GET and POST, our database library
automatically cleans variables before SQL queries and we have both input and
output filters against XSS. Finally, we also have some advanced features
like form tokens (to protect against CSRF), cookie signing, session
regeneration etc that I haven't seen in (m)any other CMSs at all.
Seriously, I can accept that PostNuke in the dim and distant past had its
issues, mainly due to its heritage, but I can't remember the last time I saw
a vulnerability in any API compliant modules or the non-legacy parts of the
core itself. Zikula has had 0 since its release almost 8 months ago.
>
> :( We haven't even installed it yet and the honeymoon is over? Just
> curious, what kind of problems did you have? Script kiddies or
> targeted
> attacks?
>
> We have options with mod_security as well. I do want to make sure we
> have
> ourselves covered.
More information about the Fedora-infrastructure-list
mailing list