-
Development Update, November 2006-05
(News)
-
New teamlist member: Ammodump
Ammodump was asked to join the team. As quoted from his introduction in the team: "I enjoy being a community member, and that often my comments hold weight. Sometimes my comments and advice are misguided, but sometimes it is hard to understand others questions ;-) ". With two main hobbies (PN and beer), Ammodump seems to be born for the support team here at the community website.
Remote code injection problem
As some people already know, there is a remote code injection problem with the language parameter as mentioned in the Feedback Forum. Both the .7 and the .8 versions have been updated to fix this security vulnerability, so everybody is urged to upgrade their PostNuke version to the latest release (see also Release Announcement). Some background information: The FormUtil::getPassedValue() function also accepts an input vector GETPOST now. It allows to ensure that the contents of _COOKIE are not taken into account when you get data (as it would be when you go through _REQUEST). The input domain is limited to _GET and _POST and not through _REQUEST / _COOKIE anymore. This is applied firstly to the newlang and thistheme parameters, and has been (and will be) applied to the rest of the core functions additionally.
Session handling
Some features have been added to the session handling in the core system:
Session id regeneration (random and on login/logout), making it even more difficult to hijack a session. This has been achieved without any extra writes to the database, so the feature has no overheads.
The ability to rename the session variable (always was POSTNUKESID), and changing from session file storage to session db storage has been enhanced.
Auth-id check to the user login screen (and block) - this has introduced a login bug which has been entered into the bug tracker and will be fixed by the release of MS3.
The session regeneration options are available in the (upgraded) Settings module.
Also fixed for both the 0.764 release as well as the 0.8 release are some PHP >= 5.2.0 issues due to session handling (See the forums, credits to fredatwork). It seems to solve the problems with PostNuke installations running on 5.2.0 or higher.
Minimum MySQL and PHP versions
The minimum version for MySQL has been raised to 4.1.x, due to some installer problems that are related to old 3.x databases. See also MySQL's lifetime philosophy at Planet MySQL. Due to security reasons, the recommended minimum php-version is at least 4.3.10.
Installer
Now fixed are some install problems with register_globals ON. In addition, there has been added a check for register_globals at the .76x install process for information only. The installation of PostNuke on these environments is nevertheless still possible. Sync with the .8 installer is to be done.
System and core modules
The internal variables statusmsg and errormsg are now arrays: it is now possible to capture (and display) multiple errors. Therefore, pnGetStatusMsg() is renamed to pnGetStatusMsgs() and LogUtil::getStatusMessagesText().
Float handling returns from Ajax has been discussed within the team. It appears that floats in the Non-US locales did not correctly set the decimal delimiters. Therefore, the locale has been set to en_US to ensure this. A solution for writing floats to the DB is still pending.
Robert has added the encryption / decryption methods, using the mcrypt library function, for use in the API.
In the Theme module, the plugins for showing the sitename, slogan and complete title have been altered to use multilanguage support.
The Settings module has some nice dynamic interface elements added to the Security and General function types, increasing useability in this one.
The magic_quotes_gpc recommendation for .8 has been changed. It should be off in stead of on. According to php security group, this feature is inconsistent in blocking attacks, and can in some cases cause data loss with uploaded files. Besides the revert of magic_quotes_gpc recommendation, the SysInfo module now also checks for allow_url_include (new in PHP 5.2) and the suhosin patch/extension.
Finally, all variables retrieved through FormUtil::getPassedValue() are now cached
ValueAddons modules
The Pages module now displays the category that each page belongs to in the overview.
The Error module (or Error handler, where error pages within PostNuke are handled) has been undergoing some changes. System errors, forbidden / not-found errors and specific API errors have their own templates and level of error reporting. A no-auth error will result in a more suitable 403 response rather than a 200-response with a status message. As a result, a lot of code has been altered to correctly use the new Log- and Error message handling.
The Wiki module has been renamed to more suitable 'Wiki_Code', as this module is a transform hook to enable Wiki formatting in content items.
The ExampleObj module has been reviewed, revised and updated by Robert. It should serve as a good example for any module writers
Generated on November 20, 2006.
-
Single Login to a Multisite
(News)
-
1. Backup each file you edit before proceding.
2. In your multisite configuration, edit each pntables.php for each multisites under your parameters/sub.domain to share nuke_session_info, e.g.$session_info = 'nuke_session_info';2. Edit includes/pnSession.php and search for session.cookie_domain and you will find the line:
ini_set('session.cookie_domain', $domain); which I changed to
ini_set('session.cookie_domain', 'postnuke.com');3. Flush the nuke_session_info table in your database deleting all current session records.
In the 0.8 series we will revisit the multisite system making the system easier to administer.
Good luck :)
Generated on August 10, 2004.
-
Security Fix Package for Postnuke .723
(News)
-
FIXES
/modules/Modules/pnadminapi.php (fixed regeneration bug, thx to cmgrote, jojodee, jnapp)
/includes/pnAPI.php (updated pnanticracker)
/includes/pnSession.php (fixed globals)
/modules/Credits/pnuser.php (fixed path disclosure, thx to Alexander GQ Gerasiov)
/includes/blocks/topic.php (fixed permission check, thx to ddrury)
/includes/blocks/weblinks.php (fixed permission check, thx to cs)
/includes/blocks/stories.php (fixed permission check)
larsneo, pnDev
Generated on January 4, 2003.
-
Successful PostNuke Phoenix Installation on Windows 2000 Server -- HOW TO
(News)
-
few hours trying to solve a problem that was just waiting for a reboot. Take my word for it, especially with the MySQL install.
The Config:
Hardware: PIII slot 1, 384 Megs RAM, 1 FAT32 drive(2 partitions), 1 NTFS drive (single partition)
Windows 2000 Server Sp3
IIS 5.0 included with windows 2000
PHP 4.2.3 (via installer)
MyODBC 2.50.39
mySQL 3.23.52
The Details
Windows Server
This is a multi role machine running DNS, Active Directory(AD) and other network services, and IIS. It's basically my intranet, Domain Controller(AD), File Server and development web server. It's locked down behind a router with its own security protocols, so if you hack the router, you still have to hack AD, which grants access through IP first, Domain second and user third. It's pretty tightly locked up, and its a good way to have a fairly secure development platform.
IIS
IIS is configured to run a default site, which is locked down using AD. If the machine dns name is theMachine, I can easily access the default web site using my browser and going to http://theMachine. The default site is basically a default installation with nothing on it and I use virtual directories to point to development file structures - this is documented in IIS documentation. Basically I took a default PostNuke installation file structure and copied it to a directory on one of my development partitions (I used a FAT32 partition -- no reason for it, just thought this may be a useful fact), and made that a virtual directory of the main site. If I name the virtual directory PNdev, I can now access that directory via http://theMachine/PNdev.
PHPDownload the installer version of PHP for Windows (link in heading title) stop the IIS serverexecute the php installer and follow the instructions (pay attention to the checkboxes for what kind of webserver you wish to install it on, there should be one for IIS 4.0 and up)reboot. After reboot run a search for php.ini(because I'm too lazy to look for it in the C:/Winnt folder), and change the register_globals to 'On'. NOTE: DOING THIS POSES A SECURITY ISSUE FOR THE WEBSERVER. Read about it in the PHP documentation. Now you're ready install mySQL.
MyODBC
I downloaded and installed this driver for MySQL because I'm developing some desktop packages that may be using MySQL in the future -- but it's part of the environment and thought I should mention it. Just do it if you're not sure.
mySQLdownload (link in title)and and unzip this file to it's own directory Go to IIS and stop the server!Install using the setup program and use all the default values,( if you install it other than to the default directories, don't come crying to me)reboot
After Rebooting, run a search for the my.ini file and delete it, if you don't find one - good - it means you need to create one.
Creating a my.ini file with winmysqladmin.exe
You will find a folder in c:\mysql\bin\ called winmysqladmin.exe, if you don't find it here, you screwed up somewhere or installed mysql in another directory - run a search to find it. Once you have located winmysqladmin.exe, I would advise putting a shortcut to it on your desktop.
Open winmysqladmin.exe, a window should pop up asking for a user name and password. Enter a username and password that you wish to use, this will be the MASTER USERNAME AND PASSWORD for your mysql installation. You will need this password very shortly, so write it down! Once you submit the info, look in the sys tray for an icon that looks like a trafficlight. If the 'light' is red, mySQL needs to be started. Do this by right clicking the icon, choose 'win NT' and then click 'start this service'. (If you wish to set more u/n & p/w for other users on their own dbs -read about in the mySQL documentation.)
Creating a Database with winmysqladmin.exe
If the traffic light icon is in the tray, open the gui by right clicking the icon, choose 'show me'. If not in the tray, open winmysqladmin.exe by opening from the shortcut you placed on your desktop earlier, or find it again and open it. When it opens, you will see the window appear and then disappear, look in the tray and you will see the traffic light. Right click the icon, choose 'show me'.
The GUI will appear, click on the 'Databases' Tab. Right click on the server name in the upper left frame and click 'create database'. Input a database name and click ok. This will create a new blank database. Now you are ready to install Postnuke.
PostNuke Install Notes
At this point, I am assuming that you have the files in place on the server and will refer to the directory that holds those files as 'POSTNUKEweb'. Some preliminary steps:make sure that config.php and config-old.php both are world-writable.Note that once the install/upgrade has been completed these files can be re-set to read-only.
your config file should be modified to reflect the username and password that you set up during the installation of mySQL. Remember? I told you to write them down!!! It should also reflect of the name of the database that you created with winmysqladmin.exe.
additionally your config.php file should be set to Windows. Do this by changing $pnconfig['system'] = '0'; to $pnconfig['system'] = '1'; on line 48.
KICK ITgo to your post nuke installation (i.e. http://POSTNUKEweb/install.php).
choose the language and click 'Set Language'. If this page just refreshes and you can't get beyond it, you need to change your php.ini file described above in the PHP heading.
when you get to the DB info page DO NOT check box for use with intranets, I check this on my first run through and could not log in after installation, by not checking it, I could log in fine. I have a feeling that its because of the server setup, but it works for me. You can play with this setting after install:make a backup copy of the pnSession.php file (located in the includes directory). Then, open the file in your favorite editor, and find the line (somewhere around line #88) that looks like this:
Code:
if (pnConfigGetVar('intranet') == false) {
You can toggle the intranet functionality by changing the boolean false to true and vice-versa on this line to see how you system/server/nuke responds.
By following these guidelines you can implement PostNuke pretty seemlessly on your Windows 2000 server. I haven't experimented with XP, win2k (non server), or 98, but I'll be sure to post my findings if I do.
Also, thanks to the entire dev team on PostNuke for creating a kickass solution platform --- you guys ROCK (and so does the community
Generated on October 8, 2002.
-
PN .71 through .713 & Andromeda
(News)
-
and the .713 change log (here) says that it fixed the problem, but that does not seem to be the case. And now Jim has moved on...
One user experiencing the problem (thanks Bert!) had some luck changing:
Header('Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0');
- to -
Header('Cache-Control: cache, must-revalidate, post-check=0, pre-check=0');
- in -
pnSession.php (at roughly line 200)
But that seems to interfere with the behavior of his browser's back button.
I very much hope to resolve the issue, but it does appear to come from a change to pnSession.php, and Andromeda still works fine in 'standalone' mode.
I'd be happy to talk to any PN dev, and I can be reached at scott@turnstyle.com.
-Scot
Generated on April 23, 2002.