On Sat, 2005-11-12 at 14:18 -0800, Thomas Chung wrote: > (sorry if you're getting a duplicate message) > > On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote > > Do we have any information on Drupal's security track record? PHP has > > had its fair share of problems. > > > > I'm not meaning to bash on Drupal or PHP, but these are important > > concerns. I'm not going to pretend that Python and the Python software > > currently in use are perfect, but security was one of the considerations > > in their selection. It would be helpful to know how spreadfirefox.com > > was compromised. If their failures were problems with Drupal or PHP, or > > if they were problems elsewhere would be nice to know. Assuming we'll > > not learn that, we need to at least thoroughly investigate the security > > records of any software we consider. > > Here is a list of security track records for Drupal 4.x from secunia. > > http://secunia.com/product/342/ > > Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in 2005. > Thomas, it'd be more interesting to look on the defacement sites and find out how many sites were defaced running drupal - as that metric gives us the more worrisome result. moreover - you need to count every remotely-exploitable issue in php in a module that drupal uses. php-xml-rpc, specifically, should be fun to watch. -sv
Attachment:
signature.asc
Description: This is a digitally signed message part
