[drupal-devel] Security in Drupal vs. Wordpress, Postnuke, Mambo

puregin puregin at puregin.org
Sun Apr 24 22:04:56 UTC 2005 

PostNuke in particular has been generating a lot of disclosures in
the security mailing lists.

      I'd have to say that these particular Secunia results have little 
information content
with respect to Drupal.  A sample of two is statistically meaningless.
Also, lumping in Drupal 4.0 through Drupal 4.6, and covering the time
period 2003 to 2005, ignores significant differences.

     All that having been said, Security is an issue that probably needs
to be addressed on a number of fronts.

    - Code: design/code review and audits: how secure is Drupal, really? 
  How do we know?
    - Communication:  what we know about the security or insecurity of 
Drupal should be
      clearly communicated.
        - People/groups:   developers, administrators/users, potential 
users,
        - Channels: User documentation, coding policies, Forums, mailing 
lists (Drupal and external),
           marketing communication.

For example, what is the policy around disclosure?   Where do security 
vulnerabilities
get reported, what actions are taken?   How do we notify people who 
have installed
Drupal?  How broadly do we take responsibility for security support - 
for example,
Drupal security of course depends (in a typical installation) on Apache 
security, MySQL
security, and PHP security.    There's been a lot of security problems 
caused lately by
MySQL holes and misconfiguration.     Do we want to alert users to such 
issues?

     Another example:  security is a moving target.  I see SELinux 
emerging as a potentially
widely adopted mechanism for improving Linux security (and possibly 
other Unixes).
Installing and administering Drupal in such an environment isn't really 
as simple as
I'd like to see.   Fundamentally, where-ever there is a drupal_exec() 
call made,
or more generally, a php exec() or similiar call,  SELinux systems 
generally
deny the exec.    Morbus Iff had some suggestions for a work-around in 
a recent
post, but I think this points out how emerging security standards will 
have an
impact on such fundamental architectural questions as depending on
external PHP modules (OK, from the SELinux POV) versus depending on
external executables such as ImageMagick (problematical).

     Argh!  Security...

     Djun


On 24 Apr 2005, at 1:56 PM, Dan Robinson wrote:

> facinating - one of the things is that it looks like Mambo has a lot 
> of explaining to do in the security department.
>
> Dan
>
>
>> Along with the new security contact form, etc., this blog post is  
>> interesting:
>> http://sibowo.blogspot.com/2005/04/drupal-vs-wordpress-vs-postnuke- 
>> vs.html
>>
>> I can off course interpret the graphs, but I don't speak the 
>> language.  Looks like Secunia generated those graphs automatically.
>>
>> -- 
>> Boris Mann
>> http://www.bryght.com
>> Vancouver 778-896-2747 / San Francisco 415-367-3595
>> IM boris_mann at jabber.org / SKYPE borismann
>>
>>
>>
--
Djun M. Kim, Director                           
djun.kim at cielosystems.com
Cielo Systems Inc.                              
http://www.cielosystems.com
Strategic Software Research                     Tel:   (604) 739-3941
302 - 1298 10th Avenue West                     FAX:   (604) 739-3943
Vancouver, BC, V6H 1J4                          Mobile:(778) 895-1379

More information about the drupal-devel mailing list