hich was originally based on a PostNuke version but soon forked in a totally different direction under development for a few years.
The fruits of the Adam Baum prokect were released as a new product called Zikula. Efforts have been made to make a migration path to the new product although not all modules and extension are compatible and the migration process can be rather difficult. For details about the migration package, please see the migration release.
Zikula should not be confused with PostNuke since they are spearate products and the underlying code is vastly different. A decision was made to provide security updates for PostNuke until 1st July 2009 and there will be no more releases of PostNuke beyond version 0.764. If security issues are found it is suggested you discontinue use of PostNuke and migrate. If you require professional support doing this you may contact us.
Generated on February 1, 2009.
Intraweb project towards version 2.0
work. So you are invited to visit our website (in catalan). In this moment we have 15 modules that work correctly with version 0.764 of PostNuke and we have 4 modules adapted to 0.8 version. There is a website were you can test them (in English). These modules are:
iw_moodle: It allows to integrate Moodle (versions 1.8.x) into the PostNuke (version 0.8) with single sign on between the two programs.
iw_vhmenu: It makes possible to create a vertical or horizontal menu with a lot of configurable options. At the same time it is possible to choose the groups that are going to see the different menu items.
iw_webbox: With this module it is possible to show any HTML content into the web. In this link there is an example.
iw_main: It contains some functions and variables that are used in the Intraweb modules.
Very soon we are going to have a new module available for the version 0.8, but I'll explain this in some days
Generated on February 11, 2008.
PNSA 2006-3 - PostNuke Input Validation Vulnerability
Directory traversal vulnerability in error.php in PostNuke 0.763 and earlier allows remote attackers to include and execute arbitrary local files under certain circumstances via the PNSVlang session variable which is included by error.php.
Users should immediately update to 0.764. PostNuke versions 0.764 and later are unaffected.
PostNuke 0.764 Downloads
see Release Announcement.
Andreas Krapohl [larsneo]
PostNuke CMS Development
Generated on November 21, 2006.
PostNuke .764 Released
There are no new features in this release, only a fix package for known issues with the 0.763 release.
PostNuke 0.764 Full Release Download
Download this release for new full installations.
PostNuke 0.764 Patch Files Download
Only download the patched files release if you are running a pre-existing 0.763 installation. This patch will not work with new installations or successfully patch versions earlier than 0.763. Note: due to a different SVN timestamp format this patchpacket might contain more files then expected.
#3624, #3587, #3496, #3465.
Additionally the problems during installation in register_globals=on enviroments and problems with PHP 5.2 have been adressed.
PostNuke Security Advisory 2006-3
Simon Birtwistle [HammerHead]
PostNuke CMS Steering Committee
Generated on November 21, 2006.
Development Update, November 2006-05
New teamlist member: Ammodump
Ammodump was asked to join the team. As quoted from his introduction in the team: "I enjoy being a community member, and that often my comments hold weight. Sometimes my comments and advice are misguided, but sometimes it is hard to understand others questions ;-) ". With two main hobbies (PN and beer), Ammodump seems to be born for the support team here at the community website.
Remote code injection problem
As some people already know, there is a remote code injection problem with the language parameter as mentioned in the Feedback Forum. Both the .7 and the .8 versions have been updated to fix this security vulnerability, so everybody is urged to upgrade their PostNuke version to the latest release (see also Release Announcement). Some background information: The FormUtil::getPassedValue() function also accepts an input vector GETPOST now. It allows to ensure that the contents of _COOKIE are not taken into account when you get data (as it would be when you go through _REQUEST). The input domain is limited to _GET and _POST and not through _REQUEST / _COOKIE anymore. This is applied firstly to the newlang and thistheme parameters, and has been (and will be) applied to the rest of the core functions additionally.
Some features have been added to the session handling in the core system:
Session id regeneration (random and on login/logout), making it even more difficult to hijack a session. This has been achieved without any extra writes to the database, so the feature has no overheads.
The ability to rename the session variable (always was POSTNUKESID), and changing from session file storage to session db storage has been enhanced.
Auth-id check to the user login screen (and block) - this has introduced a login bug which has been entered into the bug tracker and will be fixed by the release of MS3.
The session regeneration options are available in the (upgraded) Settings module.
Also fixed for both the 0.764 release as well as the 0.8 release are some PHP >= 5.2.0 issues due to session handling (See the forums, credits to fredatwork). It seems to solve the problems with PostNuke installations running on 5.2.0 or higher.
Minimum MySQL and PHP versions
The minimum version for MySQL has been raised to 4.1.x, due to some installer problems that are related to old 3.x databases. See also MySQL's lifetime philosophy at Planet MySQL. Due to security reasons, the recommended minimum php-version is at least 4.3.10.
Now fixed are some install problems with register_globals ON. In addition, there has been added a check for register_globals at the .76x install process for information only. The installation of PostNuke on these environments is nevertheless still possible. Sync with the .8 installer is to be done.
System and core modules
The internal variables statusmsg and errormsg are now arrays: it is now possible to capture (and display) multiple errors. Therefore, pnGetStatusMsg() is renamed to pnGetStatusMsgs() and LogUtil::getStatusMessagesText().
Float handling returns from Ajax has been discussed within the team. It appears that floats in the Non-US locales did not correctly set the decimal delimiters. Therefore, the locale has been set to en_US to ensure this. A solution for writing floats to the DB is still pending.
Robert has added the encryption / decryption methods, using the mcrypt library function, for use in the API.
In the Theme module, the plugins for showing the sitename, slogan and complete title have been altered to use multilanguage support.
The Settings module has some nice dynamic interface elements added to the Security and General function types, increasing useability in this one.
The magic_quotes_gpc recommendation for .8 has been changed. It should be off in stead of on. According to php security group, this feature is inconsistent in blocking attacks, and can in some cases cause data loss with uploaded files. Besides the revert of magic_quotes_gpc recommendation, the SysInfo module now also checks for allow_url_include (new in PHP 5.2) and the suhosin patch/extension.
Finally, all variables retrieved through FormUtil::getPassedValue() are now cached
The Pages module now displays the category that each page belongs to in the overview.
The Error module (or Error handler, where error pages within PostNuke are handled) has been undergoing some changes. System errors, forbidden / not-found errors and specific API errors have their own templates and level of error reporting. A no-auth error will result in a more suitable 403 response rather than a 200-response with a status message. As a result, a lot of code has been altered to correctly use the new Log- and Error message handling.
The Wiki module has been renamed to more suitable 'Wiki_Code', as this module is a transform hook to enable Wiki formatting in content items.
The ExampleObj module has been reviewed, revised and updated by Robert. It should serve as a good example for any module writers
Generated on November 20, 2006.