User:Dandaman32/Enano CMS
From Wikipedia, the free encyclopedia
| Enano CMS | |
|---|---|
| Image:Enanocms-logo.png | |
 A relatively clean install of Enano 1.0 |
|
| Developed by | Dan Fuhry |
| Latest release | 1.0.3 / December 12, 2007 |
| OS | Cross-platform |
| Available in | English |
| Development status | Stable |
| License | GNU General Public License |
| Website | http://enanocms.org/ |
In computing, Enano CMS is a Free software, open source hybrid content management system and wiki engine written in PHP. The first of its kind, Enano combines many of the features commonly found in content management systems with the features of a wiki, allowing the website administrator to combine a static website and a free-flowing wiki into one consistent interface.
Enano is touted to integrate many Web 2.0 features such as AJAX and user-created content. It uses AJAX to perform most page-related operations, including editing, protection, and renaming. The log-in and log-out boxes also use modal dialogs written in Javascript, with back-up versions available for browsers that do not support Javascript or have it disabled.
As a consequence of Enano's plugin system, it is particularly lacking in features such as built-in forums, support for a blog or portal, and a shoutbox, when compared with other content management suites. While some of these features have been added through plugins, Enano continues to lag behind mainstream CMS projects in the area of features.
Contents |
[edit] History
The first prototype of Enano was developed in early 2006 and released under the name Advanced Articles. Advanced Articles only made two releases (0.1 and 0.2), and its odd system of organization made it difficult to use. In August and September of 2006, the AA codebase was rewritten from scratch in an attempt to make AA more like MediaWiki but with features designed to be friendly to less experienced users. The first beta was released under the name Midget CMS, and only then did the author realize that the name was already taken. The project was renamed to Enano (ironically, the Spanish word for "midget" or "dwarf") and the second beta was released.
In late October 2006, Enano's development slowed nearly to a halt for about two months, and its website at times was down. This was mainly due to problems with the author's ISP. In January 2007, beta 3 was released. This beta was considerably more feature-complete. In early July of 2007, the first stable release was made. Midway through 1.0RC2, the project leader decided to start using Mercurial as the revision control for the project.
In August 2007, the project site was plagued with server issues, and subsequently began moving to different hosting providers to stabilize the site. On September 12, 2007, the Enano CMS Project had announced that a hosting provider had been found that gave stable scalable hosting. The server provider, Network Redux, offered the project free hosting, as it often does with FOSS projects. Network Redux also sponsors Adium, ImageMagick, and Simple Machines Forum.
In November 2007, the project had decided to focus nearly all of its work on the unstable 1.1.x series of the software. The 1.1.x series had been created a few days after 1.0 was announced, but it had been neglected after basic internationalization in the UI was complete. In December 2007, Enano's pace of development changed considerably. A sizable increase in work done on the 1.1.x core was done during December, and the framework needed for PostgreSQL support was made available in the Mercurial revisions of both Enano 1.0.x and 1.1.x. Avatar support was implemented in 1.1.x on December 21 in the Mercurial revision. Various issues in the 1.1.x core were also fixed and made the 1.1.x core installable for the first time in months.
[edit] Security problems
Around the time of the beta 3 release, a routine security audit was being done and a major security vulnerability was discovered in the session manager. While the bug was patched in beta 3, the session continued to use a relatively insecure method of authentication. In 1.0RC1, the session manager was rewritten to use AES to encrypt logon information, substantially increasing the security of logins.
Just weeks before the scheduled release of version 1.0, several major security flaws were discovered in Enano's page-handler, including an XSS vulnerability that allowed insertion of arbitrary HTML.[1] The Enano team immediately released 1.0RC3, which was literally pulled from bleeding-edge development code and rebranded, and thus was a particularly unstable release.
[edit] Criticism
Enano's relatively young age means that it lacks the stability that many older CMSs have. Since there is only one developer at present, testing is often difficult and many releases have annoying bugs, especially on unusual server configurations. However these issues are being (slowly) overcome.
Enano's security model varies greatly from that of most web applications. It uses a PHP-based encryption routine (which implements the AES algorithm) to encrypt passwords before storing them in the database. However, this technique is slightly insecure, as it can lead to users' passwords being decrypted completely should both the database and the main configuration file get hacked. Proponents of this system point out that the user's request is much more likely to be sniffed (using tcpdump or a similar utility) than both the database and the configuration file (which contains the master key used to encrypt passwords in the database) would be compromised. For the time being, Enano uses a Javascript-based authentication mechanism, with a fallback for incompatible browsers available, to encrypt passwords with AES before sending them over the Internet. The problem is that the encryption key is sent as plain text over HTTP prior to authentication. This is said to be more secure than transmitting the password over HTTP completely unencrypted, but the project has not been able to implement the Diffie-Hellman key exchange into Javascript, or into PHP without using GMP, BCMath, or PHP's built-in 64-bit integer support.
Perhaps the biggest issue with Enano is the fact that it lacks any sort of external documentation. While the user interface attempts to be self-documenting, there is no formal user's manual for Enano. This is mainly due to the fact that Enano's user base is not big enough that someone has volunteered to write good end-user documentation. The website has asked for assistance with writing documentation. [2]
