Re: Drupal

["Larry Seltzer" <larry () larryseltzer com>]

Thanks, I've gotten several offline responses. 

 

> > http://drupal.org/security

 

8 advisories for Core in 2009, 7 of them some level of "critical". But
some of the advisories roll up multiple vulnerabilities and they don't
list them or provide CVE numbers. (This reminded me to search CVE. Yuck,
lousy search facilities.)

 

This looks like the worst one: http://drupal.org/node/384024 ("The
Drupal theme system takes URL arguments into account when selecting a
template file to use for page rendering. While doing so, it doesn't take
into account how Windows arrives at a canonicalized path. This enables
malicious users to include files, readable by the webserver and located
on the same volume as Drupal, and to execute PHP contained within those
files.") This was only Drupal 5.x, which is still supported, not the
more current 6.x.

 

On the contributed projects (http://drupal.org/security/contrib), things
look much busier and you I have the sense that they're scratching the
surface.

 

Personally, I wanted to use Sharepoint for this app because it's clearly
the fastest way to a finished product. On the security end there are few
advisories on it
(http://secunia.com/advisories/product/13227/?task=statistics). 

 

BTW, they made a lot of noise a few weeks back when it was announced
that whitehouse.gov will be done in Drupal, but it seems that
recovery.gov is in Sharepoint. I think data.gov is too. They put those
sites up quickly

 

Larry Seltzer
Contributing Editor, PC Magazine

larry_seltzer () ziffdavis com 

http://blogs.pcmag.com/securitywatch/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.