[drupal-devel] Security in Drupal vs. Wordpress, Postnuke, Mambo
puregin
puregin at puregin.org
Sun Apr 24 22:04:56 UTC 2005
PostNuke in particular has been generating a lot of disclosures in
the security mailing lists.
I'd have to say that these particular Secunia results have little
information content
with respect to Drupal. A sample of two is statistically meaningless.
Also, lumping in Drupal 4.0 through Drupal 4.6, and covering the time
period 2003 to 2005, ignores significant differences.
All that having been said, Security is an issue that probably needs
to be addressed on a number of fronts.
- Code: design/code review and audits: how secure is Drupal, really?
How do we know?
- Communication: what we know about the security or insecurity of
Drupal should be
clearly communicated.
- People/groups: developers, administrators/users, potential
users,
- Channels: User documentation, coding policies, Forums, mailing
lists (Drupal and external),
marketing communication.
For example, what is the policy around disclosure? Where do security
vulnerabilities
get reported, what actions are taken? How do we notify people who
have installed
Drupal? How broadly do we take responsibility for security support -
for example,
Drupal security of course depends (in a typical installation) on Apache
security, MySQL
security, and PHP security. There's been a lot of security problems
caused lately by
MySQL holes and misconfiguration. Do we want to alert users to such
issues?
Another example: security is a moving target. I see SELinux
emerging as a potentially
widely adopted mechanism for improving Linux security (and possibly
other Unixes).
Installing and administering Drupal in such an environment isn't really
as simple as
I'd like to see. Fundamentally, where-ever there is a drupal_exec()
call made,
or more generally, a php exec() or similiar call, SELinux systems
generally
deny the exec. Morbus Iff had some suggestions for a work-around in
a recent
post, but I think this points out how emerging security standards will
have an
impact on such fundamental architectural questions as depending on
external PHP modules (OK, from the SELinux POV) versus depending on
external executables such as ImageMagick (problematical).
Argh! Security...
Djun
On 24 Apr 2005, at 1:56 PM, Dan Robinson wrote:
> facinating - one of the things is that it looks like Mambo has a lot
> of explaining to do in the security department.
>
> Dan
>
>
>> Along with the new security contact form, etc., this blog post is
>> interesting:
>> http://sibowo.blogspot.com/2005/04/drupal-vs-wordpress-vs-postnuke-
>> vs.html
>>
>> I can off course interpret the graphs, but I don't speak the
>> language. Looks like Secunia generated those graphs automatically.
>>
>> --
>> Boris Mann
>> http://www.bryght.com
>> Vancouver 778-896-2747 / San Francisco 415-367-3595
>> IM boris_mann at jabber.org / SKYPE borismann
>>
>>
>>
--
Djun M. Kim, Director
djun.kim at cielosystems.com
Cielo Systems Inc.
http://www.cielosystems.com
Strategic Software Research Tel: (604) 739-3941
302 - 1298 10th Avenue West FAX: (604) 739-3943
Vancouver, BC, V6H 1J4 Mobile:(778) 895-1379
More information about the drupal-devel
mailing list