Greetings, I was pointed to this discussion by one of the developers in the Drupal community who did not have time to follow up. While I am not about to step into your decision about which CMS to use as you need to pick one that fits your needs and mission, I have to disagree with this statement; >On Mon, 2005-12-05 at 16:58 -0600, Patrick Barnes wrote: >> If we decide we need a CMS solution, what can we do to make a PHP >> solution like Drupal as secure as possible? We can disable XML-RPC. >> What other features would we need to disable? Would this cripple Drupal >> beyond usefulness? > >Hell yes. > >http://secunia.com/advisories/17824/ > >-- >Ignacio Vazquez-Abrams <ivazquez ivazquez net> Disabling XML-RPC does not cripple Drupal. It does not even seriously impact Drupal at all. Without it, you will not be able to use remote blogging software such as http://blogtk.sourceforge.net/. Nor will you be able to configure it to remotely pull flickr images through the blogapi. Of course, you might want this functionality, many people do which has always confused me ... The security vulnerability was discovered within the community, fixed quickly and announced by the developers. Please note that the XML-RPC vulnerability was with the library used by Drupal and many other projects. Drupal now uses a different library as a result. Additional focus has been added to help ensure that such a vulnerability is less likely to happen again. Like Greg Knaddison, I just stopped by to answer any specific questions about Drupal. I will remain subscribed for a few days, but you folks need to decide what CMS meets your needs and usage. I think Drupal would work for you, but I'm sort of biased. :) http://drupal.org/user/5195 I now return you to your regularly scheduled discussion. -sp
