news.fp.o

Thu Feb 21 19:28:47 UTC 2008

On Thu, 2008-02-21 at 13:13 -0500, Jeffrey Tadlock wrote:
> 2008/2/21 Toshio Kuratomi <a.badger at gmail.com>:
> >  This is a highly inaccurate measure of security but it's something to
> >  look at.  I wonder if lkundrak and the security team have a preference
> >  for blogging/news software :-)
> >
> >  Number of CVEs listed on http://nvd.nist.gov/nvd.cfm
> >        wordpress  drupal  mediawiki  zope  plone
> >  2008     30        17        1        0     0
> >  2007     64        37        7        2     1
> >  2006     21        39        4        1     3
> 
> I looked at WordPress a bit this morning as well.  I used the same
> source as Toshio did, but I think I used a slightly different search
> than him.  I used the Advanced search and set the Product to
> WordPress.  That yielded these numbers:
> 
> 2008:    13
> 2007:    42
> 2006:    16
> 
> If you search the vuln database for just wordpress it pulls in a lot
> of plugins for WordPress that have issues.  Even the search I did
> pulled in results for plugins for WordPress and not just core
> WordPress components.  So I went through 2008 and 2007 to see which
> results in my search affected core WordPress bits and which were for
> optional plugins.  Those results were:
> 
> 2008:     7
> 2007:     36
> 
> Several of the hits for those two years had been for things like
> custom themes someone had provided or guest books or an image gallery.
> 
> I also looked briefly at versions affected as well.  Just using 2008
> as an example, there were still 7 security issues listed for core
> WordPress components so far.  But if you figure you probably shouldn't
> still be running a 2.0.x version or 2.1.x version of WordPress in 2008
> then another 5 CVE's drop off the list leaving 2008 at 2 CVEs.
> 
> To be fair, I only looked this closely at WordPress.  It is quite
> likely Drupal's numbers would drop if I looked through those results
> and made decisions on which affected core bits and which affected
> plugins to Drupal.  Like Toshio already said, this isn't the greatest
> way to determine the security of an app.
> 
> >  These numbers show a big difference between mediawiki and drupal or
> >  wordpress.  The questions are just how valid the numbers are and whether
> >  we're confident that the combination of SELinux (which we will then
> >  depend on; no more turning it off if we can't figure out a problem) and
> >  mod_security will keep our servers and users of the sites safe from the
> >  exploits that will appear.
> 
> With any application we provide we need to consider security.  I think
> SELinux is a valid means to help prevent damage from 0-day flaws as is
> mod_security.  They are tools in the toolkit we can use to help reduce
> our attack surface.  If we do move to PHP based apps, we could also
> consider looking at suhosin [1] as another tool for the toolbox.
> 

Let's not, ever, say we're considering going to php based apps.

I don't mind deploying a few but I'll be damned if I'll ever 'go to php'
as a language.

-sv