Websites running on Drupal
seth vidal
skvidal at fedoraproject.org
Sat Nov 12 21:23:33 UTC 2005
On Sat, 2005-11-12 at 14:18 -0800, Thomas Chung wrote:
> (sorry if you're getting a duplicate message)
>
> On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote
> > Do we have any information on Drupal's security track record? PHP has
> > had its fair share of problems.
> >
> > I'm not meaning to bash on Drupal or PHP, but these are important
> > concerns. I'm not going to pretend that Python and the Python software
> > currently in use are perfect, but security was one of the considerations
> > in their selection. It would be helpful to know how spreadfirefox.com
> > was compromised. If their failures were problems with Drupal or PHP, or
> > if they were problems elsewhere would be nice to know. Assuming we'll
> > not learn that, we need to at least thoroughly investigate the security
> > records of any software we consider.
>
> Here is a list of security track records for Drupal 4.x from secunia.
>
> http://secunia.com/product/342/
>
> Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in 2005.
>
Thomas, it'd be more interesting to look on the defacement sites and
find out how many sites were defaced running drupal - as that metric
gives us the more worrisome result.
moreover - you need to count every remotely-exploitable issue in php in
a module that drupal uses.
php-xml-rpc, specifically, should be fun to watch.
-sv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20051112/cfa0c27f/attachment.sig>
More information about the Fedora-websites-list
mailing list