news.fp.o

Jeffrey Tadlock linux at elfshadow.net
Thu Feb 21 18:13:14 UTC 2008 

2008/2/21 Toshio Kuratomi <a.badger at gmail.com>:
>  This is a highly inaccurate measure of security but it's something to
>  look at.  I wonder if lkundrak and the security team have a preference
>  for blogging/news software :-)
>
>  Number of CVEs listed on http://nvd.nist.gov/nvd.cfm
>        wordpress  drupal  mediawiki  zope  plone
>  2008     30        17        1        0     0
>  2007     64        37        7        2     1
>  2006     21        39        4        1     3

I looked at WordPress a bit this morning as well.  I used the same
source as Toshio did, but I think I used a slightly different search
than him.  I used the Advanced search and set the Product to
WordPress.  That yielded these numbers:

2008:    13
2007:    42
2006:    16

If you search the vuln database for just wordpress it pulls in a lot
of plugins for WordPress that have issues.  Even the search I did
pulled in results for plugins for WordPress and not just core
WordPress components.  So I went through 2008 and 2007 to see which
results in my search affected core WordPress bits and which were for
optional plugins.  Those results were:

2008:     7
2007:     36

Several of the hits for those two years had been for things like
custom themes someone had provided or guest books or an image gallery.

I also looked briefly at versions affected as well.  Just using 2008
as an example, there were still 7 security issues listed for core
WordPress components so far.  But if you figure you probably shouldn't
still be running a 2.0.x version or 2.1.x version of WordPress in 2008
then another 5 CVE's drop off the list leaving 2008 at 2 CVEs.

To be fair, I only looked this closely at WordPress.  It is quite
likely Drupal's numbers would drop if I looked through those results
and made decisions on which affected core bits and which affected
plugins to Drupal.  Like Toshio already said, this isn't the greatest
way to determine the security of an app.

>  These numbers show a big difference between mediawiki and drupal or
>  wordpress.  The questions are just how valid the numbers are and whether
>  we're confident that the combination of SELinux (which we will then
>  depend on; no more turning it off if we can't figure out a problem) and
>  mod_security will keep our servers and users of the sites safe from the
>  exploits that will appear.

With any application we provide we need to consider security.  I think
SELinux is a valid means to help prevent damage from 0-day flaws as is
mod_security.  They are tools in the toolkit we can use to help reduce
our attack surface.  If we do move to PHP based apps, we could also
consider looking at suhosin [1] as another tool for the toolbox.

Thanks,
Jeffrey

[1] http://www.hardened-php.net/suhosin/

More information about the Fedora-infrastructure-list mailing list