[drupal-devel] Security in Drupal vs. Wordpress, Postnuke, Mambo
puregin at puregin.org
Sun Apr 24 22:04:56 UTC 2005
PostNuke in particular has been generating a lot of disclosures in
the security mailing lists.
I'd have to say that these particular Secunia results have little
with respect to Drupal. A sample of two is statistically meaningless.
Also, lumping in Drupal 4.0 through Drupal 4.6, and covering the time
period 2003 to 2005, ignores significant differences.
All that having been said, Security is an issue that probably needs
to be addressed on a number of fronts.
- Code: design/code review and audits: how secure is Drupal, really?
How do we know?
- Communication: what we know about the security or insecurity of
Drupal should be
- People/groups: developers, administrators/users, potential
- Channels: User documentation, coding policies, Forums, mailing
lists (Drupal and external),
For example, what is the policy around disclosure? Where do security
get reported, what actions are taken? How do we notify people who
Drupal? How broadly do we take responsibility for security support -
Drupal security of course depends (in a typical installation) on Apache
security, and PHP security. There's been a lot of security problems
caused lately by
MySQL holes and misconfiguration. Do we want to alert users to such
Another example: security is a moving target. I see SELinux
emerging as a potentially
widely adopted mechanism for improving Linux security (and possibly
Installing and administering Drupal in such an environment isn't really
as simple as
I'd like to see. Fundamentally, where-ever there is a drupal_exec()
or more generally, a php exec() or similiar call, SELinux systems
deny the exec. Morbus Iff had some suggestions for a work-around in
post, but I think this points out how emerging security standards will
impact on such fundamental architectural questions as depending on
external PHP modules (OK, from the SELinux POV) versus depending on
external executables such as ImageMagick (problematical).
On 24 Apr 2005, at 1:56 PM, Dan Robinson wrote:
> facinating - one of the things is that it looks like Mambo has a lot
> of explaining to do in the security department.
>> Along with the new security contact form, etc., this blog post is
>> I can off course interpret the graphs, but I don't speak the
>> language. Looks like Secunia generated those graphs automatically.
>> Boris Mann
>> Vancouver 778-896-2747 / San Francisco 415-367-3595
>> IM boris_mann at jabber.org / SKYPE borismann
Djun M. Kim, Director
djun.kim at cielosystems.com
Cielo Systems Inc.
Strategic Software Research Tel: (604) 739-3941
302 - 1298 10th Avenue West FAX: (604) 739-3943
Vancouver, BC, V6H 1J4 Mobile:(778) 895-1379
More information about the drupal-devel