A host provider shows me following list of Vulnerabilities in Drupal. What should I answer?
http://www.frsirt.com/english/product/988
31.01.2008 : Drupal Secure Site Module HTTP Authentication Bypass Vulnerability
31.01.2008 : Drupal Project issue tracking Cross Site Scripting and File Upload
31.01.2008 : Drupal Userpoints Module Cross Site Request Forgery Vulnerability
31.01.2008 : Drupal Comment Upload Module Arbitrary File Upload Vulnerability
31.01.2008 : Drupal OpenID Module Spoofing and Identity Impersonation Vulnerability
25.01.2008 : Drupal Workflow Module Node Property Cross site scripting Vulnerability
25.01.2008 : Drupal Archive Module Unspecified Cross site scripting Vulnerability
14.01.2008 : Fedora Security Update Fixes Drupal Multiple Remote Vulnerabilities
14.01.2008 : vbDrupal Multiple Cross Site Scripting and Request Forgery Vulnerabilities
14.01.2008 : Meta tags Module for Drupal Image Handling Code Execution Vulnerability
14.01.2008 : BUEditor Module for Drupal Cross Site Request Forgery Vulnerability
14.01.2008 : Drupal Multiple Cross Site Scripting and Request Forgery Vulnerabilities
10.12.2007 : Fedora Security Update Fixes Drupal Multiple Module Vulnerabilities
25.10.2007 : Fedora Security Update Fixes Drupal Multiple Security Bypass Issues
19.10.2007 : Drupal Cross Site Scripting and Information Disclosure Vulnerabilities
14.08.2007 : Content Construction Kit for Drupal Nodereference Module Cross Site Scripting
31.07.2007 : Fedora Security Update Fixes Drupal Cross Site Request Forgery Vulnerability
30.07.2007 : Drupal Multiple Client-side Cross Site Scripting and Request Forgery Vulnerabilities
13.07.2007 : LoginToboggan Module for Drupal "username" Cross Site Scripting Vulnerability
10.07.2007 : Print Module for Drupal Security Bypass and Information Disclosure Vulnerability
10.07.2007 : Forward Module for Drupal Security Bypass and Information Disclosure Vulnerability
12.04.2007 : Database Administration for Drupal Cross Site Scripting and Request Forgery Issues
08.03.2007 : Project Issue Tracking for Drupal Unspecified Parameter Handling Node Disclosure Issue
07.03.2007 : Nodefamily Module for Drupal URL Arguments Handling Profile Manipulation Vulnerability
16.02.2007 : Secure Site Module for Drupal Unspecified String Handling Security Bypass Vulnerability
16.02.2007 : Image Pager Module for Drupal "IMG" Tag Handling Cross Site Scripting Vulnerability
16.02.2007 : getID3 Library for Drupal Demonstration Scripts Remote Code Execution Vulnerability
31.01.2007 : Captcha and Textimage Modules for Drupal Security Validation Bypass Vulnerability
30.01.2007 : vbDrupal Security Update Fixes Comment Preview Command Execution Vulnerability
30.01.2007 : Drupal "comment_form_add_preview()" Comment Preview Code Execution Vulnerability
24.01.2007 : Acidfree Module for Drupal Node Title Handling Remote SQL Injection Vulnerability
24.01.2007 : Project and Project Issue Tracking for Drupal Multiple Security Bypass Vulnerabilities
09.01.2007 : OpenPKG Security Update Fixes Drupal Cross Site Scripting and DoS Vulnerabilities
05.01.2007 : Drupal Database Update Page Cache Poisoning Remote Denial of Service Vulnerability
05.01.2007 : Drupal "Filter" and "System" Modules Multiple Arguments Cross Site Scripting Issues
18.12.2006 : MySite Module for Drupal Titles Handling Client-Side Cross Site Scripting Vulnerability
18.12.2006 : Project and Project Issue Tracking for Drupal Multiple Cross Site Scripting Vulnerabilities
11.12.2006 : Chatroom Module for Drupal Information Disclosure and Security Bypass Vulnerabilities
11.12.2006 : Help Tip for Drupal Multiple Remote SQL Injection and Cross Site Scripting Vulnerabilities
06.12.2006 : CVS management/tracker for Drupal "motivation" Field Cross Site Scripting Vulnerability
26.10.2006 : Extended Tracker for Drupal Unspecified Parameter SQL Injection Vulnerability
26.10.2006 : OpenPKG Security Update Fixes Drupal Multiple Cross Site Scripting Vulnerabilities
20.10.2006 : Drupal Multiple Cross Site Scripting and Cross Site Request Forgery Vulnerabilities
03.10.2006 : IMCE Module for Drupal Arbitrary File Deletion and Script Upload Vulnerabilities
20.09.2006 : Search Keywords Module for Drupal Client-Side Cross Site Scripting Vulnerability
20.09.2006 : Site Profile Directory Module for Drupal Client-Side Cross Site Scripting Vulnerability
14.09.2006 : Userreview Module for Drupal Unspecified Parameter Cross Site Scripting Vulnerability
08.09.2006 : Pubcookie Module for Drupal Login Redirection Mechanism Spoofing Vulnerability
06.09.2006 : Pathauto Module for Drupal Unspecified Parameter Cross Site Scripting Vulnerability
23.08.2006 : Easylinks for Drupal Multiple Remote SQL Injection and Cross Site Scripting Vulnerabilities
23.08.2006 : E-commerce for Drupal Multiple Parameter Handling Cross Site Scripting Vulnerabilities
10.08.2006 : Debian Security Update Fixes Drupal User Module Cross Site Scripting Vulnerability
09.08.2006 : Bibliography Module for Drupal Remote SQL Injection and Cross Site Scripting Vulnerabilities
08.08.2006 : Recipe Module for Drupal Unspecified Parameter Handling Cross Site Scripting Vulnerability
08.08.2006 : Drupal Jobsearch Module Unspecified Parameter Handling Remote SQL Injection Vulnerability
03.08.2006 : Drupal User Module "msg" Parameter Handling Client-Side Cross Site Scripting Vulnerability
26.07.2006 : Debian Security Update Fixes Drupal SQL Injection and Cross Site Scripting Vulnerabilities
12.07.2006 : Drupal "webform" Module Multiple Parameter Handling Cross Site Scripting Vulnerabilities
05.07.2006 : Form_mail Module for Drupal Unspecified Remote Mail Header Injection Vulnerability
02.06.2006 : Drupal Taxonomy Module "name" Parameter Cross Site Scripting Vulnerability
25.05.2006 : Drupal Remote SQL Injection and Arbitrary Script Execution Vulnerabilities
08.05.2006 : Drupal Project Module Issue Handling Cross Site Scripting Vulnerability
17.03.2006 : Debian Security Update Fixes Drupal Multiple Security Bypass Vulnerabilities
27.01.2006 : Debian Security Update Fixes Drupal Cross Site Scripting Vulnerabilities
01.12.2005 : Drupal Cross Site Scripting and Security Bypass Vulnerabilities
04.10.2005 : Debian Security Update Fixes Drupal XML-RPC Command Execution
15.08.2005 : Drupal XML-RPC for PHP Nested Tags Remote Code Execution
11.07.2005 : Debian Security Update Fixes Multiple Drupal Vulnerabilities
30.06.2005 : Drupal XML-RPC Library Remote Code Execution Vulnerability
Comments
That list also Fixes and
That list also Fixes and independent modules, not telling you about which version of Drupal or the module versions.
I would say, pretty useless list unless they point out the version numbers and removed the fixes from the list and seperate the 3rd party modules from the Drupal core itself. Also the most in that list is VERY old stuff so the most is probably fixed since a long time ago.
Roberth Andersson
Administrator/Developer @ Jump-Gate and Webworqs, Inc
Actually a useful list.
Note that on that site you can click through to see the affected version number, and the fix (um, download a later version) for all those alerts, so it's not that useless.
Except that you do have to click a lot to see it all.
-> Affected Products
-> Solution
.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/
.dan. is the New Zealand Drupal Developer working on Government Web Standards
As Roxpace pointed out, most
As Roxpace pointed out, most of the list is Very old and therefore most likely irrelevant. Similar lists can be produced for any CMS, leave alone the homegrown sort-of-CMS systems. These lists are good reading from a historical perspective, but that's about it.
If you read up at http://drupal.org/security , you'll notice that security is taken very seriously.
Second, if you don't use a vulnerable module, there's no problem. If you don't use Userpoints or BUEditor or whatever other modules are mentioned in your list, you can live in peace. And if you do, make sure you use the latest version, which most likely has taken care of the security issue very soon after the alert. And if it hasn't been fixed yet, temporarily disable that module.
Third, the main thing to worry about is security holes in Drupal Core. But they are a) rare and b) taken care of Very Swiftly.
Fourth, if you do your own PHP programming here and there in a personal module or in a node, make sure you have studied the security functions (check_plain etc.).
Fifth, ask your host provider about a list of vulnerabilities with regard to the server software he's running. I bet the list would be 100 times longer than the one he gave you.
The nature of open-source software
This is a basic part of open-source software. Diligent users of the application (some of whom are security experts) find bugs and submit patches. That's why open-source software, in general, is more secure (more trained eyes on the issue of security.) Compare this with closed-source solutions, where only the primary developers have access to the source, and you will find lots more holes, that never get patched.
See ASP vs PHP for an example. Most PHP security issues are solved right away, whereas ASP issues have to wait for the hotfix from Microsoft (which never comes for many serious, pending security issues.) Vulnerabilities exist in any piece of software, but at least with open-source software you have the option to fix them. It's not the number of issues that is the problem, only the number of ignored issues, which as mentioned before, is very few, when it comes to Drupal. If you find a module developer that is slow to fix bugs, or patch security holes, don't use their modules. It really is that simple. People who maintain their modules have larger communities, and more bug fixes, so the whole process is extremely organic (survival of the fittest code.)
It's also important to note that none of those listed issues track back to bug reports, which were definitely filed. This means that it's hard to track them, based on that site, and see if the issues have been solved or are still pending. As a demonstration, I tracked down the last five issues and include their status here:
31.01.2008 : Drupal Secure Site Module HTTP Authentication Bypass Vulnerability
solution: http://drupal.org/node/216019
31.01.2008 : Drupal Project issue tracking Cross Site Scripting and File Upload
solution: http://drupal.org/node/184320
31.01.2008 : Drupal Userpoints Module Cross Site Request Forgery Vulnerability
solution: http://drupal.org/node/216023
31.01.2008 : Drupal Comment Upload Module Arbitrary File Upload Vulnerability
solution: http://drupal.org/node/216024
31.01.2008 : Drupal OpenID Module Spoofing and Identity Impersonation Vulnerability
solution: http://drupal.org/node/216022
The underlying theme, if you hadn't noticed, is "fixed, solution: install newest version"
If your host does not thoroughly understand this process, then I would question their ability to keep their system secure, seriously. It may be time for a new host. I can recommend several that keep up with security fixes, and understand this process extremely well.
Uh-huh, security fixes happened. And the point is?
Tell them that they had better look out and make sure they don't let a thing called Linux into their network.
That has had over 156 pages of identified vulnerabilities in the history logged there!!! Scary!
If looking at a list of identified, fixed problems worries them, they really should switch to an untested system that's never published any security updates. They'll feel a lot better then.
.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/
.dan. is the New Zealand Drupal Developer working on Government Web Standards
One addendum to the
One addendum to the excellent commentary above: upload and install for your drupal site the update_status module and subscribe to drupal security bulletins. You will be alerted to new versions of modules and security fixes, respectively. That way you can update your site yourself and can safely ignore "customer support" which, in this particular instance, appears (a) to have an ax to grind or (b) profoundly ignorant about drupal and the entire concept of open source software.
----------------------------------------------------------------------
http://www.bwv810.com/
I am a writer and researcher. In my spare time I build websites with Drupal.
Je peux communiquer en français. / Я могу общаться на русском языке.
To play devils advocate for a second ....
To play devils advocate for a second ....
Bringing a clients attention to the fact that there are periodic security issues - and security updates - for a random bit of software they are considering is actually a pretty good thing to do.
Without knowing what tone it was delivered in,
"We won't let you run that script because ... "
or
"If you are going to run that, you should consider ..."
Letting folk know that it's their responsibility to keep potentially-dangerous software updated is something that should be done a little bit more. IMO.
Dismissing all historical security issues out-of-hand isn't actually a productive response. I'm sure when some of the vulnerabilities were active they were each, respectively, significant. I'm thinking there are a bunch of sites still out there running potentially-compromised drupal versions.
And the only thing that "there are no outstanding vulnerabilities in Drupal" means is that
we haven't found (or added) the next one yet.
... just a contrasting way of looking at this thread ...
.dan. is the New Zealand Drupal Developer working on Government Web Standards
Good points... I wonder if
Good points... I wonder if the host in question prefaced the laundry list they provided with any introductory text along the lines you mention.
----------------------------------------------------------------------
http://www.bwv810.com/
I am a writer and researcher. In my spare time I build websites with Drupal.
Je peux communiquer en français. / Я могу общаться на русском языке.
Totally
Since Drupal will generally be installed by you, the developer, it's important that you keep up with your end, and keep Drupal up to date on security fixes.
It's also important that they (your host) keep up their end, and keep up on security fixes on everything else. I feel like if they are new to the whole concept of security bulletins and active development communities, then you're already in trouble.
I don't dismiss historical security issues by any means, I think it is extremely important to be sure of the flaws of any system I am using, so I look through every security bulletin of projects that I am evaluating, and make sure it's not going to explode (by any means that someone has already discovered, it could still explode in some new way) I guess I just find it more useful to look at a bug-tracker that's actually connected to the system in question (you will find a lot more security issues on drupal.org, then that other site, and you can actually see if they are fixed or not.)