PostNuke in particular has been generating a lot of disclosures in the security mailing lists. I'd have to say that these particular Secunia results have little information content with respect to Drupal. A sample of two is statistically meaningless. Also, lumping in Drupal 4.0 through Drupal 4.6, and covering the time period 2003 to 2005, ignores significant differences. All that having been said, Security is an issue that probably needs to be addressed on a number of fronts. - Code: design/code review and audits: how secure is Drupal, really? How do we know? - Communication: what we know about the security or insecurity of Drupal should be clearly communicated. - People/groups: developers, administrators/users, potential users, - Channels: User documentation, coding policies, Forums, mailing lists (Drupal and external), marketing communication. For example, what is the policy around disclosure? Where do security vulnerabilities get reported, what actions are taken? How do we notify people who have installed Drupal? How broadly do we take responsibility for security support - for example, Drupal security of course depends (in a typical installation) on Apache security, MySQL security, and PHP security. There's been a lot of security problems caused lately by MySQL holes and misconfiguration. Do we want to alert users to such issues? Another example: security is a moving target. I see SELinux emerging as a potentially widely adopted mechanism for improving Linux security (and possibly other Unixes). Installing and administering Drupal in such an environment isn't really as simple as I'd like to see. Fundamentally, where-ever there is a drupal_exec() call made, or more generally, a php exec() or similiar call, SELinux systems generally deny the exec. Morbus Iff had some suggestions for a work-around in a recent post, but I think this points out how emerging security standards will have an impact on such fundamental architectural questions as depending on external PHP modules (OK, from the SELinux POV) versus depending on external executables such as ImageMagick (problematical). Argh! Security... Djun On 24 Apr 2005, at 1:56 PM, Dan Robinson wrote:

facinating - one of the things is that it looks like Mambo has a lot of explaining to do in the security department.

Dan

...

Along with the new security contact form, etc., this blog post is interesting: http://sibowo.blogspot.com/2005/04/drupal-vs-wordpress-vs-postnuke- vs.html

I can off course interpret the graphs, but I don't speak the language. Looks like Secunia generated those graphs automatically.

-- Boris Mann http://www.bryght.com Vancouver 778-896-2747 / San Francisco 415-367-3595 IM boris_mann@jabber.org / SKYPE borismann

-- Djun M. Kim, Director djun.kim@cielosystems.com Cielo Systems Inc. http://www.cielosystems.com Strategic Software Research Tel: (604) 739-3941 302 - 1298 10th Avenue West FAX: (604) 739-3943 Vancouver, BC, V6H 1J4 Mobile:(778) 895-1379