funsec mailing list archives
Re: Drupal
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Thu, 17 Dec 2009 09:12:03 -0500
Thanks, I've gotten several offline responses.
http://drupal.org/security
8 advisories for Core in 2009, 7 of them some level of "critical". But some of the advisories roll up multiple vulnerabilities and they don't list them or provide CVE numbers. (This reminded me to search CVE. Yuck, lousy search facilities.) This looks like the worst one: http://drupal.org/node/384024 ("The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files.") This was only Drupal 5.x, which is still supported, not the more current 6.x. On the contributed projects (http://drupal.org/security/contrib), things look much busier and you I have the sense that they're scratching the surface. Personally, I wanted to use Sharepoint for this app because it's clearly the fastest way to a finished product. On the security end there are few advisories on it (http://secunia.com/advisories/product/13227/?task=statistics). BTW, they made a lot of noise a few weeks back when it was announced that whitehouse.gov will be done in Drupal, but it seems that recovery.gov is in Sharepoint. I think data.gov is too. They put those sites up quickly Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Drupal Larry Seltzer (Dec 17)
- Re: Drupal Larry Seltzer (Dec 17)