header photo

via positiva

Home » Archives » 2007 » April

Security misunderstandings. Argh.

Posted 1 year ago
— filed under

This morning, someone wrote up a rather alarming little article that made it to Digg and subsequently hit the Drupal newsfeed. "Drupal struggle with security issues," it read, and proceeded to point out the alarming number of security advisories (14) published by Drupal's security team in 2007.

While it's true that security holes are bad, only three of those fourteen were bugs in Drupal. 11 of the 14 were bugs in third-party addon modules found by the Drupal security team crawling through the hundreds of addons, hunting for secholes. One was a bug in the previous version of a third-party library used by an even older version of a third-party Drupal plugin module. Three degrees of separation from Drupal's actual code, but the Drupal security team still sent out an advisory so that Drupal sites that happen to be running it would be aware of the potential danger.

The article, basically, doesn't seem to get it. It even implies that the latest bug in a third-party module is part of Drupal's core Forms API:

A critical security flaw was found in the database administration module and in the Drupal Form API.

In fact, the security advisory makes clear that the problem lay in dba module not using Forms API to build its forms. Modules that DO use Forms API don't experience the problem that was found. Did the folks at BuildCMS not read the advisory? Or do they just not understand the differences?

The Drupal security team is a serious gang of nitpickers, and I mean that in the best possible way: I've been contacted by them about modules I wrote, just to answer questions about the intended purpose of several functions and how they were used in other areas. They had seen it in CVS, and wanted to double-check with me that I was only using certain APIs in the proper fashion to avoid potential secholes. And when they DO find problems in one of those third party modules, they generally try to work with the author to ensure that patches are released quickly. It's frustrating to see the monumental work they're doing for the community spun as 'a struggle with security.'

The article concludes with some silly FUD:

Community members are concerned Drupal, and start to wonder if security and documentations are left behind in an eager for new functionalities.

Aside from the stilted grammar, it's obvious that the author was phoning this article in. The security issues found by the secteam are universally cases of modules not using the existing secure APIs that are well-documented.

There are important security issues to be discussed in the Drupal community. There are sometimes high-priority security holes that are discovered and announced, along with fixes. There are important best practices for module developers to follow. And security IS an important consideration site-builders when evaluating third-party plugins, as with any other project that supports addon modules.

But spinning the security team's diligence in hunting down issues and broadcasting alerts as 'big changes are making things less secure, Drupal is struggling!' indicates that the writer of the article is either clueless, or more concerned about grabbing page-views than educating readers.

Publish this!

Submitted by misskaz (not verified) on April 13, 2007 - 2:50pm.

This frustrates me and I don't even understand half of what you're talking about! This is a very well-written response, and you should email it to the editor at buildcms.com.

Such poorly researched

Submitted by yaph (not verified) on April 13, 2007 - 4:37pm.

Such poorly researched articles are really annoying. Hope you don't mind that I just dugg your article.

Numbers

Submitted by Steven Wittens (not verified) on April 13, 2007 - 5:34pm.

Is it just me, or don't the numbers add up?

3 out of 14 were core issues... 11 of the 13 were 3rd party and one was the third party library for the third party plug-in. Eh?

Written too fast ;-)

Submitted by Admin on April 13, 2007 - 8:23pm.

That should be "11 of the 14 were 3rd party modules, and one of those 11 was a remotely hosted third party library..."

Feedback been taking in consideration

Submitted by Egil Fujikawa Nes (not verified) on April 14, 2007 - 1:45pm.

I can confirm that we been taking actions to give our readers a more accurate presentation of CMS security and the news about Drupal:

http://www.buildcms.com/cms_news/drupal_announce_most_security_issues
http://www.buildcms.com/cms_articles/introduction_to_open_source_cms_sec...

If it's any feedback to this, please let me know.

Best regards

Egil Fujikawa Nes
egil@buildcms.com

The new version is waaaaay better

Submitted by Anonymous (not verified) on April 14, 2007 - 2:20pm.

Thanks for listening!

Well said

Submitted by sime (not verified) on April 16, 2007 - 1:46am.

In truth though, the BuildCMS article is pretty matter-of-fact. It's digg that gets a bit crazy.

oops

Submitted by sime (not verified) on April 16, 2007 - 1:48am.

Oh, I'm reading the new version, I'd have to find the old version now. :P

This is a fairly old article

Submitted by El Chupageek (not verified) on January 8, 2008 - 7:43pm.

This is a fairly old article but hopefully you will see this message and consider it regardless. In terms of product security, it does not matter who wrote the code, it matters what vulnerabilities are exploitable in the distributed product. If Drupal uses a vulnerable third part library that opens them to risk, and no other CMS software does, all other things being equal, that means Drupal is the most insecure of the bunch. In the end, it doesn't matter who the engineers can point fingers at, it matters that the product is vulnerable.

That said, all other things are not equal in the CMS field, and I think Drupal is a bit ahead of the curve in PHP based CMS (which may seem a bit like damning praise with the PHP qualifier there)

This is a fairly old article

Submitted by Jeff Eaton (not verified) on January 9, 2008 - 4:32pm.

This is a fairly old article but hopefully you will see this message and consider it regardless. In terms of product security, it does not matter who wrote the code, it matters what vulnerabilities are exploitable in the distributed product.

Oh, absolutely -- you'll see no disagreement from me on that count. The issue, though, is that there are about 2000 add-ons for Drupal, with various versions available. While it's accurate to say that 'a security vulnerability was discovered,' there's a difference between a vulnerability in the Drupal project that everyone uses, and a vulnerability in one version of a little-used third-party addon that was written for Drupal 4.7.

It's the difference between a MacOS vulnerability and a vulnerability in a copy in version 1.2 of 'Keynote.' While the latter is certainly important and should be taken seriously, it's definitely different.

great

Submitted by kraloyun (not verified) on October 26, 2008 - 10:43am.

good news
thank you

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <img> <i> <b> <strike> <h3> <h4>
  • Lines and paragraphs break automatically.
  • You may use [inline:xx] tags to display uploaded files or images inline.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Twitter-style @usersnames are linked to their Twitter account pages.
  • Twitter-style #hashtags are linked to search.twitter.com.

More information about formatting options

Miniblog

  • RT @drewish: http://remipinaudisathief.blogspot.com -- interesting how online social connectivity touches real world misbehavior 8 hours ago
  • Catherine can't sleep, padded in and presented three DVDs: Blade II, Amelie, and An Unfortunate Series of Events. "Pick one." 8 hours ago
  • @krmaxwell The big difference is that it's a lot smoother. The same beans/flavor, but with way less bitey aftertaste. 10 hours ago
  • Dear everyone: I will stop talking about the Aeropress shortly. As soon as it STOPS BEING SO AWESOME. 10 hours ago
  • @smerrill I am sipping a perfect cup of harrar as we speak. Man, I love my Aeropress. 10 hours ago