Software as a Service:

• AspireCMS,
• Clickability,
• Knivis,
• Crownpeak,
• Hot Banana,
• Marqui and others

Enterprise:

• Sitecore,
• FatWire,
• Vignette,
• Interwoven,
• Documentum,
• MySource Matrix (Squiz),
• Alfresco,
• Oracle,
• IBM Web Content Management,
• SDL Tridion and others

Mid-market:

• Microsoft SharePoint,
• Kentico,
• Goss Interactive,
• Contrexx,
• Ektron,
• PaperThin,
• Ingeniux,
• Terapad,
• Cascade Server,
• Day Software,
• Logical CMS and others

Open source:

• Magnolia,
• Plone,
• Joomla,
• Drupal,
• Exponent CMS,
• Alfresco,
• Sensenet 6.0,
• MiaCMS,
• MMBase,
• TYPO3,
• MySource Matrix (Squiz),
• WordPress,
• DotNetNuke,
• MyWebPageStarterKit

Incoming search terms:

• dotnetnuke or terapad
• web system history

Below is a list of the 10 most common security vulnerabilities in web applications, and how Plone addresses these. The full background for this list can be found at the Open Web Application Security Project web site.

Problem A1: Unvalidated Input

How Plone handles this: All input in Plone is validated, and the framework makes sure you can never input data that is not of the required type. This is probably the number one reason why Plone sites — even when deployed and developed by people new to web security — are not compromised.

Problem A2: Broken Access Control

How Plone handles this: Plone is based on the well-proven (7 years in production), flexible and granular ACL/roles-based security model of Zope. In addition, Plone utilizes an innovative workflow approach to security, which means that end-users never see or modify the security settings — they only work with security presets that have been supplied to them by the developers of the application. This makes the potential for security errors orders of magnitude less likely to happen.

Problem A3: Broken Authentication and Session Management

How Plone handles this: Plone authenticates users in its own database using a SHA-1 hash of their password. Using its modular authentication system Plone can also authenticate users against common authentication systems such as LDAP and SQL as well as any other system for which a plugin is available (Gmail, OpenID, etc.). After authentication, Plone creates a session using a SHA-1 hash of a secret stored on the server and the userid (HMAC-SHA-1). Secrets can be refreshed on a regular basis to add extra security where needed. Note: Older Plone versions (i.e. before Plone 3) use a less secure method where a session cookie containing both the loginname and password for a user are used. It is highly recommended to enforce use of HTTPS encryption for such sites.

Problem A4: Cross Site Scripting

How Plone handles this: Plone has strong filtering in place to make sure that no potentially malicious code can ever be entered into the system. All content that is inserted is stripped of malicious tags like <script>, <embed> and <object>, as well as removing all <form> related tags, stopping users from impersonating any kind of HTTP POST requests. All destructive operations (like deletion of content) and privilege elevation (roles, permissions) are checked to be valid HTTP POST request in addition to the usual security checking. On an infrastructure level, the template language used to create pages in Plone quotes all HTML by default, effectively preventing cross site scripting.

Problem A5: Buffer Overflow

How Plone handles this: Buffers overflow vulnerabilities are not known to exist in the current versions of Python, and is usually more common in systems based on languages that do not have strict checking for this, like C.

Problem A6: Injection Flaws

How Plone handles this: This is usually common in systems that use SQL for its content storage. Plone does not use SQL by default, and when setting up SQL databases with Plone, they always communicate through a standard SQL connector that neutralizes injection attempts automatically.

Problem A7: Improper Error Handling

How Plone handles this: Plone provides almost information on the front end (no stack traces etc) when there is an error, but logs the error internally instead. All the front-end user will see is the log entry number of the error that was caused, allowing the error to be located in the logs if it is reported to the site admin.

Problem A8: Insecure Storage

How Plone handles this: All the cryptographic methods in use in the Plone stack are been exposed to public scrutiny for years, and have no known vulnerabilities.

Problem A9: Application Denial of Service

How Plone handles this: The most common setup for a Plone site is to utilize a caching proxy like Squid, Varnish, Apache or IIS. When configured in this way, it’s very hard to bring down a Plone site with DoS attacks. (Note: In versions earlier than Plone 2.1.4 and 2.5.1, there was a potential Denial of Service attack identified in the error page of Plone, which was unnecessarily heavy. This was fixed as part of a bigger security audit performed in the same timeframe, and the current releases of Plone do not suffer from this problem.

A10 Insecure Configuration Management

How Plone handles this: Plone has very strict security defaults out-of-the-box, and also runs as an unprivileged user on the server. Web users do not have access to the file system. Because of these factors, the most common security configuration vulnerabilities in this area are avoided.

Security track record

Measuring or quantifying security risks in software is hard — security is a process, not a product, and thus requires constant vigilance and good coding practices combined with security reviews. One interesting measure is the number of vulnerabilities reported by the MITRE’s Common Vulnerabilities and Exposures database, which is the main source for tracking and naming security issues.

Here are some counts of the numbers of known vulnerabilities and exposures in some common CMS platforms and their technology stacks – also note that the Python/Zope/Plone stack has existed for several years longer than the others mentioned:

• Plone/Zope/Python stack:
  • CVE Entries containing Plone: 3
  • CVE Entries containing Zope: 15 (only 3 since 2004)
  • CVE Entries containing Python: 17
• PHP-based stacks:
  • CVE Entries containing Drupal: 22
  • CVE Entries containing Mambo: 31
  • CVE Entries containing Joomla: 20
  • CVE Entries containing MySQL: 99
  • CVE Entries containing PHP: 1258
• Other stacks:
  • CVE Entries containing Perl: 97

These numbers do not prove anything by themselves, of course — but do suggest a general trend, and are a good approximation of our security track record compared to other systems.

O’Reilly Media wants to help make working with the Drupal web content management system just a bit easier. Many people realize that when working with a CMS of any kind, even an open source option, things can get pretty hairy for those not overly savvy with code and module configuration. Using Drupal’s goal is to eliminate as much frustration and as many wrong turns as possible.

Go to Source

Drupal is at it again with another round of updated releases. While not major releases, these new versions from Drupal do address a number of security fixes and bugs that were brought to their attention via Drupal’s bug tracking system.

Go to Source

The items on HarvardScience are written specifically for the site or are selected from recent publications, press releases, newsletters, newspapers, and Web sites produced by Harvard University and its affiliates. It is not intended to be comprehensive. We hope that you will use HarvardScience as a gateway to research at Harvard University.

Contact Information

• Network Operations Center, 60 Oxford St
  Cambridge, MA
  02138
  US
• Phone: +1 617 496 8500
  jay_tumas@harvard.edu

Other Information

• Pagerank 8.0
• Alexa Rank 1,442
• Other sites that link to this site: 230
• Harvard.edu was first registered on: 27-Jun-1985.
• Visit HarvardScience

Find free music, charts, videos and reviews with Cat Deeley and Richard Blackwood at this UK online magazine. Including radio, chat, screensavers, hip-hop, and dance news.

Other Information

• Pagerank 5.0
• Alexa Rank :  6,787
• Other sites that link to this site: 1,978
• Mtv.co.uk was first registered on: 24-Sep-1996.
• Visit http://www.mtv.co.uk

• Community web portals
• Discussion sites
• Corporate web sites
• Intranet applications
• Personal web sites or blogs
• Aficionado sites
• E-commerce applications
• Resource directories
• Social Networking sites

Drupal is ready to go from the moment you download it. It even has an easy-to-use web installer! The built-in functionality, combined with dozens of freely available add-on modules, will enable features such as:

• Content Management Systems
• Blogs
• Collaborative authoring environments
• Forums
• Peer-to-peer networking
• Newsletters
• Podcasting
• Picture galleries
• File uploads and downloads and much more.

Drupal is open-source software distributed under the GPL (“GNU General Public License”) and is maintained and developed by a community of thousands of users and developers. If you like what Drupal promises for you, please work with us to expand and refine Drupal to suit your specific needs.

General features

• Collaborative Book – Our unique collaborative book feature lets you setup a “book” and then authorize other individuals to contribute content.detailed information
• Friendly URLs – Drupal uses Apache’s mod_rewrite to enable customizable URLs that are both user and search engine friendly.
• Modules – The Drupal community has contributed many modules which provide functionality that extend Drupal core.detailed information
• Online help – Like many Open Source projects, we can’t say that our online help is perfect but have built a robust online help system built into the core help text. Available to you on your own site.detailed information
• Open source – The source code of Drupal is freely available under the terms of the GNU General Public License 2 (GPL). Unlike proprietary blogging or content management systems, Drupal’s feature set is fully available to extend or customize as needed.detailed information
• Personalization – A robust personalization environment is at the core of Drupal. Both the content and the presentation can be individualized based on user-defined preferences.
• Role based permission system – Drupal administrators don’t have to tediously setup permissions for each user. Instead, they assign permissions to roles and then group like users into a role group.screenshot . detailed information
• Searching – All content in Drupal is fully indexed and searchable at all times if you take advantage of the built in search module.

User management

User authentication – Users can register and authenticate locally or using an external authentication source like Jabber, Blogger, LiveJournal or another Drupal website. For use on an intranet, Drupal can integrate with an LDAP server.detailed information

Content management

• Polls – Drupal comes with a poll module which enables admins and/or users to create polls and show them on various pages.detailed information
• Templating – Drupal’s theme system separates content from presentation allowing you to control the look and feel of your Drupal site. Templates are created from standard HTML and PHP coding meaning that you don’t have to learn a proprietary templating language.detailed information
• Threaded comments – Drupal provides a powerful threaded comment model for enabling discussion on published content. Comments are hierarchical as in a newsgroup or forum.detailed information
• Version control – Drupal’s version control system tracks the details of content updates including who changed it, what was changed, the date and time of changes made to your content and more. Version control features provide an option to keep a comment log and enables you to roll-back content to an earlier version.screenshot

Blogging

• Blogger API support – The Blogger API allows your Drupal site to be updated by many different tools. This includes non-web browser based tools that provide a richer editing environment.detailed information
• Content syndication – Drupal exports your site’s content in RDF/RSS format for others to gather. This lets anyone with a News Aggregator browse your Drupal sites feeds.detailed information
• News aggregator – Drupal has a powerful built-in News Aggregator for reading and blogging news from other sites. The News Aggregator caches articles to your MySQL database and its caching time is user configurable.detailed information
• Permalinks – All content created in Drupal has a permanent link or “perma link” associated with it so people can link to it freely without fear of broken links.

Platform

• Apache or IIS, Unix / Linux / BSD / Solaris / Windows / Mac OS X support – Drupal was designed from the start to be multi-platform. Not only can you use it with either Apache or Microsoft IIS but we also have Drupal running on Linux, BSD, Solaris, Windows, and Mac OS X platforms.detailed information
• Database independence – While many of our users run Drupal with MySQL, we knew that MySQL wasn’t the solution for everyone. Drupal is built on top of a database abstraction layer that enables you to use Drupal with MySQL and PostgreSQL. Other SQL databases can be supported by writing a supporting database backend containing fourteen functions and creating a matching SQL database scheme.detailed information
• Multi-language – Drupal is designed to meet the requirements of an international audience and provides a full framework to create a multi-lingual website, blog, content management system or community application. All text can be translated using a graphical user interface, by importing existing translations, or by integrating with other translation tools such as the GNU gettext.detailed information

Administration and analysis

• Analysis, Tracking and Statistics – Drupal can print browser-based reports with information about referrals, content popularity and how visitors navigate your site.screenshot . detailed information
• Logging and Reporting – All important activities and system events are captured in an event log to be reviewed by an administrator at a later time.screenshot . detailed information
• Web based administration – Drupal can be administered entirely using a web browser, making it possible to access it from around the world and requires no additional software to be installed on your computer.screenshot

Community features

• Discussion forums – Full discussion forum features are built into Drupal to create lively, dynamic community sites.detailed information
  Performance and scalability

Caching – The caching mechanism eliminates database queries increasing performance and reducing the server’s load. Caching be tuned in real time and many high-traffic sites have performed very well under load.detailed information.

Other Information

• Initial release  January 2001 (2001-01)
• Latest release  6.8 / 11 December 2008; 10 days ago
• Written in  PHP
• OS  Cross-platform
• Type  Content management framework, Content management system, Community and Blog software
• License  GPL

Links

• Drupal News
• Download Drupal 6.8
• Download Drupal 5.14
• Visit drupal.org

Overall Winner

1. Drupal – Drupal is a free software package that allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website, Tens of thousands of people and organizations are using Drupal to power scores of different web sites, including
   
2. Joomla! – Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility have made Joomla the most popular Web site software available. Best of all, Joomla is an open source solution that is freely available to everyone..
3. DotNetNuke - DotNetNuke is an open source web application framework written in VB.NET for the ASP.NET framework. The application’s content management system is extensible and customizable through the use of skins and modules, and it can be used to create, deploy, and manage intranet, extranet, and web sites.

Most Promising Open Source CMS

1. SilverStripe – SilverStripe is a free and open source programming framework and content management system (CMS) for creating and maintaining websites. The CMS provides an intuitive web-based administration panel, allowing any person to maintain their website without knowledge of markup or programming languages.
2. CMS Made Simple – CMS Made Simple is an open source (GPL) package, built using PHP that provides website developers with a simple, easy to use utility to allow building small-ish (dozens to hundreds of pages), semi-static websites. Typically our tool is used for corporate websites, or the website promoting a team or organization, etc. ..
   
3. ImpressCMS
4. MiaCMS

Best PHP Open Source Content Management System

1. Drupal
2. Joomla!, CMS Made Simple

Best Other Open Source Content Management System

1. Plone
2. dotCMS
3. DotNetNuke

Drupal has announced that there will be no new features added to 6.x or 5.x. They are holding the feature updates and implementation of new features until they are ready to release Drupal 7.x in the near future.

A 7th security update for version 6 and the 13th security update for version 5 may not mean a whole slew of new features, but they do address major security issues.

Security Issues

In both versions there are potential vulnerabilities to users for creating cross site request forgeries as well as cross site scripting. Both of these vulnerabilities could potentially result in database damage or unfiltered content being published inadvertently.

Whether you are using Drupal 6.x or Drupal 5.x, it is highly recommended by the community to update to the newest version to eliminate the potential for security infringements.

There are two options to upgrade:.
Patching or Upgrading Current Drupal Versions

The first option for updating your Drupal version 5.x or 6.x is to simply patch your current core files with the updated ones. This is not the best option as the patch files do not contain certain bug fixes.

The second and best option is to do a full upgrade. This will ensure that all security fixes and bug fixes are addressed in your particular core code. You will also be better prepared for the Drupal 7 update which is expected to contain a number of new features.

It is also highly recommended that you run update.php to refresh the menu cache and other website caches. If you are using custom .htaccess or robot.txt files, you will want to make sure that any custom changes are retained since the updates modify both of these files.

Full upgrade files and patch files can be found here:

* Drupal 5.13 upgrade files
* Drupal 6.7 upgrade files
* Drupal 5.13 patch files
* Drupal 6.7 patch files

If you are using PHP 5.1.x or lower there is a warning that comes up upon login. According to the Drupal Community, “That patch has been rolled back in CVS, and we will be doing a bug fix release on December 11th.”
Get Ready for Drupal 7

Want new Drupal features? You’ll have to wait for Drupal 7 to be released. Until then get the upgrade files and ensure that your site is secure against the malicious threats described above.

If you are interested in learning more about Drupal, DrupalCon DC, the premier conference for Drupal developers, is right around the corner in March. While final submissions for sessions is over, tickets are still available. Get yours today and learn all the ins and outs of Drupal.

CMSWire

Packt Publishing

Accepting nominations since mid-July, Packt Publishing announced this week the finalists for its 2008 Open Source CMS Awards. Final voting began on Sept. 1 and runs through Oct. 20.

This is the third year for the awards, which are designed to “encourage, support, recognize, and reward” popularity and quality in open source content management systems. The finalists for each of the four main categories are as follows:

Overall Open Source CMS Award Finalists

• DotNetNuke
• Drupal
• Joomla
• Plone
• TYPOlight

Most Promising Open Source CMS Finalists

• CMS Made Simple
• ImpressCMS
• MiaCMS
• MemHT
• SilverStripe

Best PHP Open Source CMS Finalists

• CMS Made Simple
• Drupal
• eZ Publish
• Joomla
• Xoops

Best Other Open Source CMS Finalists

• dotCMS
• DotNetNuke
• mojoPortal
• Plone
• Umbraco

In addition to awards for the systems themselves, an Open Source CMS MVP Award will be given to an outstanding individual contributor. The winners in each category will be determined by a panel of four judges whose votes will be combined with those from the public. Announcements of the winners will be staggered:

Oct. 27: Open Source CMS MVP
Oct. 28: Best Other (non-PHP based) Open Source CMS
Oct. 29: Best PHP Open Source CMS
Oct. 30: Most Promising Open Source CMS
Oct. 31: Overall Open Source CMS Award

The project team for the overall winner gets a prize of $5,000, with an additional $15,000 in prizes going to winners and runners-up other categories.

To learn more about each of the projects and cast your vote, visit Packt Publishing’s finalist page.