Websites running on Drupal

seth vidal skvidal at fedoraproject.org
Sat Nov 12 21:23:33 UTC 2005


On Sat, 2005-11-12 at 14:18 -0800, Thomas Chung wrote:
> (sorry if you're getting a duplicate message)
> 
> On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote
> > Do we have any information on Drupal's security track record?  PHP has
> > had its fair share of problems.
> > 
> > I'm not meaning to bash on Drupal or PHP, but these are important
> > concerns.  I'm not going to pretend that Python and the Python software
> > currently in use are perfect, but security was one of the considerations
> > in their selection.  It would be helpful to know how spreadfirefox.com
> > was compromised.  If their failures were problems with Drupal or PHP, or
> > if they were problems elsewhere would be nice to know.  Assuming we'll
> > not learn that, we need to at least thoroughly investigate the security
> > records of any software we consider.
> 
> Here is a list of security track records for Drupal 4.x from secunia.
> 
> http://secunia.com/product/342/
> 
> Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in 2005.
> 

Thomas, it'd be more interesting to look on the defacement sites and
find out how many sites were defaced running drupal - as that metric
gives us the more worrisome result.

moreover - you need to count every remotely-exploitable issue in php in
a module that drupal uses.

php-xml-rpc, specifically, should be fun to watch.

-sv

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20051112/cfa0c27f/attachment.sig>


More information about the Fedora-websites-list mailing list