Content Managment Systems

Postnuke official website published the interview with Lee Eason - member of the pnCore team and responsible for the development of the module SDK.

He told some interesting things, for example, that PostNuke's greatest weakness is also its greatest strength: the modular nature of the system. Lee is also the author and director of pnFlashGames and pnFlashGames.com And he told, that pnFlashGames has also weakness - "Well, the weakest part of my module is the pnHTML I think"

So read the interview :-)

Microsoft released ‘Building Websites with Microsoft Content Management Server’.

The book presumes a working knowledge of the .NET Framework and familiarity with the C# language, but no prior knowledge of MCMS is required.

The following topics are covered in detail:

The basic concepts of MCMS
Preparing, installing and configuring MCMS and its supporting technologies
Creating an MCMS website from scratch
Creating and debugging templates files and channel rendering scripts

Working with dynamic navigation
Establishing user roles and rights
Authoring with MCMS and improving the authoring experience
Understanding and customizing workflow
Working with the Publishing API
Site deployment techniques
Enhancing your site's performance with caching

Source: http://www.cmswire.com/cms/web-cms/new-microsoft-cms-book-released-000502.php

Shop: http://www.packtpub.com/book/mcms

Here are some screenshots from the future version of angelinecms:

New user manager: shot1, shot2

New group manager: shot1, shot2

Source: Couple 0.7 screenshots

Summary

Simple PHP Blog requires "no database to create a blog system but instead only requires PHP 4 (or greater) and write permission on the server".Two vulnerabilities in Simple PHP Blog are caused by inadequate testing for directory traversal attacks allow a remote attacker to view arbitrary files and create arbitrary directories.

Credit: The information has been provided by Madelman.

Details

Vulnerable Systems: * Simple PHP Blog version 0.3.7r1 and prior

Immune Systems: * Simple PHP Blog version 0.3.7r2 or newer

We can read any file with TXT extension (in this example /etc/X11/rgb.txt)

Request: http://[SERVER]/sphpblog/comments.php?y=05&m=01&entry=../../../../../../../etc/X11/rgb

Returns the content of the file

We can create arbitrary folders in the file system and the content of the post will be saved in this folder. To create folder http://[SERVER]/sphpblog/createdir/

Request (this must be a POST request and we must modify entry parameter):http://[SERVER]/sphpblog/comment_add_cgi.php~ entry=../../../createdir

Source: Securiteam

Summary
b2evolution is "probably the most comprehensive blog engine you can find".An SQL injection vulnerability has been found in b2evolution's 'title' parameter, allowing a remote attacker to cause the program to include arbitrary SQL statements inside its existing statement.

Credit:The information has been provided by r0ut3r.

Details

Exploit:The following URL will trigger the vulnerability:

http://vulnerable/index.php?blog=1&title='&more=1&c=1&tb=1&pb=1

Workaround:

1: manual edit:

Open the file /blogs/b2evocore/_class_itemlist.php and find the following code around lines 197-201:

Code:

// if a post urltitle is specified, load that post

if( !empty( $title ) ) { $where .= " AND post_urltitle = '$title'"; }

Replace these lines like this:

Code:

// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= ' AND post_urltitle = '.$DB->quote($title); }

2: patch files

Download the following file: b2evo-0-9-0-11-fix.zip , unzip it and replace the two enclosed files in in the blogs/b2evocore folder. This second method also fixes a small harmless bug that would cause an error when testing the SQL injection issue is fixed.

Source (bug) : Securiteam
Source (woraround): b2evolution forums.

Developers of WordPress blog engine announced a new website wp-plugins.org, the WordPress Plugin repository. Great news for plugin developers!

Developers can:

Host their development for free
Be assured of high visibility
Manage their code using an SVN client
Track issues (bugs) using the tracker
Provide documentation using the wiki with the help of end-users.

WordPress Users can:

Browse all the plugins and themes.
Download plugins and themes from one location.
Provide feedback to plugin developers using the tracker.Help improve the plugin or theme.
Develop documentation at the wiki page for the plugins they use.
Stay in the the loop using the RSS feeds.

Source: http://wordpress.org/development/

BLOG:CMS is the most complete, feature-packed, personal publishing system on the market, developed by Radek Hulán. It includes state-of-the-art weblog, forum, wiki engine, news aggregator (atom / rss), and photo gallery.

Features?

An overview of the most important BLOG:CMS features is given below.

Standards compliance
BLOG:CMS is probably the only system that is not only w3c valid, but also ships with application/xhtml+xml MIME type by default, for top performance on modern browsers like Mozilla, Firefox, Safari and Opera. But BLOG:CMS will also automatically supply older standard, text/html, to browsers which cannot handle this, like obsolete Microsoft Internet Explorer.
Maintenance of one or more weblogs/news-sites
With BLOG:CMS, you can set up one or more weblogs. If you want to, you can even show the contents of multiple weblogs on the same page.

Integrated Forum
With BLOG:CMS, you can host discussions to your articles in either your weblog, or in a forum. This gives you much more possibilities and freedom for larger discussions. BLOG:CMS members are automatically registered in your forum as well, and within your weblog you can see date and time of last forum post for each article.
Integrated Photo Gallery
Today, when digital cameras are more common than traditional ones, personal presentation without a Photo Gallery almost could not exists. BLOG:CMS ships with Singapore Photo Gallery, using GD2 and/or ImageMagic to create thumbnails.

Wiki engine
Wiki engine is a great tool for any documentation needs, for colaboration on projects. Anybody can add information to Wiki resource. Some of the worlds biggest knowledge resources are based on Wiki engines. BLOG:CMS comes with Dokuwiki engine, one of the best, and standards compliant.

Download!

You can always download the latest release of BLOG:CMS at sourceforge.net. Both zip format for Windows users, and tar.gz format for GNU/Linux users are provided.

These releases are currently available:

Release 3.5 - weblog, forum, photo gallery, news, wiki and contact sections (2350 KB): blogcms.3.5.2.pl3.zip (recommended).

Release 3.4 - weblog and contact sections (1150 KB): blogcms.3.4.final.zip.

This is my first pilot post!