Fortress(tm) Extended to Postnuke
Date: Tuesday, May 25 @ 14:32:16 CEST
Topic: Security

I submitted an article to Postnuke News and it was approved (I also re-posted it in their forums). But it was also removed the very next day (today). A discussion is taking place and it hasn't been met with open arms. At any rate, I'll continue coding it for as many PHP based apps as possible. The problem with the Postnuke forums replies states that their current API code prevents XSS and SQL Injections, yet I found so many recently made available in April that proves otherwise.

My quote at the Postnuke forums:
On another note, Fortress(tm) is a proactive application that prevents the issues that even recently are being exploited against Postnuke (not just PHP-Nuke). For instance:

April 28 2004: Multiple Vulnerabilities in PostNuke Phoenix
http://www.securiteam.com/unixfocus/5ZP0Q2ACKO.html
Several Cross-site Scripting (XSS) exploits exist.

April 25 2004: Multiple Vulnerabilities In phProfession Module For PostNuke
http://www.securiteam.com/unixfocus/5YP0L1FCKU.html
Some XSS and even SQL Injections are reported.

And it continues:

PostNuke Cross Site Scripting Vulnerabilities
http://secunia.com/advisories/11466/

I know that most of these Postnuke has already patched, but it just doesn't make sense to wait for these to be found and then patch them.

That is why Fortress(tm) has been created to be proactive against these attacks, and stops them too.

I'll continue building it, and if you use it that will simply mean you can sleep at night.

I would hope the Postnuke community would open themselves to proactive measures of security.


This article comes from NukeCops
http://www.nukecops.com

The URL for this story is:
http://www.nukecops.com/modules.php?name=News&file=article&sid=2159