david <[email protected]> writes:
> Ishwor wrote:
>>
>>> Plus you should consider setting up Drupal to manage his pages.
>>>
>>> 1. Learning the CMS was is better anyway since that is the way real web
>>> sites are managed now;
>>>
>>> 2. He can start out with filtered HTML (which is dead simple), then as he
>>> learns progress to unfiltered, and eventually PHP;
>>
>> PHP is full of bugs and security vulnerabilities(all the time). It
>> maybe easier to learn+program comparatively but I would rather not
>> bother with it.
>
> So you are suggesting that all those people running Drupal etc are insecure?
> Just curious, because I'm just setting up a Drupal site for someone.
For what it is worth, if we step back in time about two years I went and
monitored security and feature sets for various OSS CMS projects in PHP.
The two that were good enough to consider for deployment were Joomla and
Drupal; both were about equal in terms of security issues, with both of them
suffering an external attack, usually SQL injection, around every two weeks.
PHP itself was reasonable, with around one attack every three months that
would have been seriously troubling. The applications also had an attack
approximately monthly that enabled arbitrary code execution.
Most of the attacks on the application stack were in extensions to the core of
the CMS, which were uniformly lower in quality and reliability. There were no
less serious, however, and often more serious.
At the time Drupal had a vague plan to move to a decent database layer to
reduce SQL injection attacks, but nothing more.
Joomla had no specific plans to remediate these attacks.
I have not looked since, but my gut feeling is that either interest in both
these products, or security issues with both these products, have since
dropped off, as they are no longer so routinely featured of bugtraq.
Also, as I note, this is based on *TWO YEAR OLD* information. I don't know
what Drupal and Joomla have done to systematically address these issues since
that time.
Regards,
Daniel
--
✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
