Drupal security compared to Sharepoint for the previous 3 months as of 5/16/2011, Drupal, not so good

Translate This Page

Drupal security compared to Sharepoint for the previous 3 months as of 5/16/2011, Drupal, not so good

Rate This
  • Comments 11

Sharepoint over the past 3 months has had zero hack according to the http://nvd.nist.gov/, and Sharepoint Foundation can run for free on any licensed Windows Server.

See: http://web.nvd.nist.gov/view/vuln/search-results?query=sharepoint&search_type=last3months&cves=on (as of 5/16/2011 Sharepoint had zero security vulnerabilities for the past 3 months).

If my analysis is incorrect, please feel free comment.

Eight Drupal Security Vulnerabilities:

http://web.nvd.nist.gov/view/vuln/search-results?query=drupal&search_type=last3months&cves=on

1. Summary:

  • Cross-site request forgery (CSRF) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
  • Published: 04/10/2011
  • CVSS Severity: 6.8 (MEDIUM)
  • CVE-2011-1663

2. Summary:

  • SQL injection vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
  • Published: 04/10/2011
  • CVSS Severity: 7.5 (HIGH)
  • CVE-2011-1662

3. Summary:

  • Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
  • Published: 04/10/2011
  • CVSS Severity: 4.3 (MEDIUM)
  • CVE-2011-1661

4. Summary:

  • The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.
  • Published: 04/10/2011
  • CVSS Severity: 5.0 (MEDIUM)
  • CVE-2010-4775

5. Summary:

  • The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.
  • Published: 03/23/2011
  • CVSS Severity: 5.0 (MEDIUM)
  • CVE-2011-1066

6. Summary:

  • Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.
  • Published: 02/23/2011
  • CVSS Severity: 2.6 (LOW)
  • CVE-2011-0899

7. Summary:

  • The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.
  • Published: 02/07/2011
  • CVSS Severity: 5.0 (MEDIUM)
  • CVE-2011-0771

8. Summary:

  • Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site.
  • Published: 02/04/2011
  • CVSS Severity: 6.8 (MEDIUM)
Leave a Comment
  • Please add 2 and 6 and type the answer here:
  • Post
  • This doesn't seem like a very good comparison - all those vulnerabilities are in contributed modules, not Drupal core. In general, an open-source community like Drupal will be very open about security problems as well, and they get fixed quickly.

  • ksheirer, thank you for your comment, they are always appreciated, especially ones that use good grammar.  Your point is valid, however, not all open source communities fix problems quickly.  In the case of the comparision that I give between Drupal and Sharepoint, a Sharepoint engineer, developer or tester who allows debugging code to get through a release will be treated poorly.  For Drupal to leave debugging code in that allows plaintext recording of passwords and allows remote attackers to gain privileges of that user, is something that should be fixed quickly.  It hasn't, it has been on the book since 2/7/2011.

    Please understand, my written voice may sound harsh, but that is not my intention, I really do appreciate your comment.  Your comments are valid, and I do take it seriously.

    Thank you.

  • Have you ever build a Drupal website yourself? I've been working as SharePoint developer and Drupal developer for years and I feel that you are completely misinformed. You are comparing closed source with open source. Both have totally different ways of dealing with security issues. In the Open Source world, bugs get announced before they are solved. So yes, it could be that an issue is unresolved for weeks. With SharePoint, they get fixed before they are announced. Or don't get fixed at all, you'll never know.

    The issues you mention occur within contributed modules, of which the quality differ. Site developers have the responsibility to make a thorough selection of the modules the want to use. They have to check the quality of the code and decide if they want to use a free module or want to build a custom one. I'm sure there will be lots of custom SharePoint contributions that have security bugs.

    You are comparing SharePoint core (MS only) to Drupal community (core + 9700 free modules) which doesn't make any sense. The great thing about open source is, is that you don't have to wait for Microsoft to fix an issue, but you can fix it yourself. Or pay someone to do so.

    Next time you write a comparison, please choose something that can be compared.

  • Also, you might try searching for "drupal core" instead of just "drupal" to see the vulnerabilities recorded in Drupal's core install files, e.g.: web.nvd.nist.gov/.../search-results

  • Damien McKenna,

    Good point, however, as you can see in a post for today, NIST only allows certain keywords.  The Drupal community can work with NIST to see if they can change those keywords, but Drupal Core or Drupal_Core is not one of the keywords.

    In the later blog I show what the keywords are for drupal and sharepoint.  For instance if I type in sharepoint foundation or sharepoint_foundation, I get no returns for either search, because these are not recognized keywords.

    I think this is an excellent blog idea!

    Damien, thank you for your feedback, please read my response as not harsh and respectful, your comments really are appreciated.

  • you are completely misinformed.

  • reza,

    You comment is not very clear.  How am I "clearly misinformed"?  On what basis, there are two points being made in this blog:

    1. Sharepoint has no security hits over the past 3 months according the NIST, none, and I provide the link as reference.  I used the correct keyword.

    2. Drupal has security hits over the past three months and I provide a link to the NIST.  Again, I investigated the correct keyword and utilized it.

    So, although I respect your phrase and your commenting, I would ask that you clarify your statement as to which of these statements are "misinformed".

    Further in the comment section below, I do state that Sharepoint Foundation is free if your Windows Server is up to date.  Is that statement misinformed?

    In another comment I state: Did NIST report that there is debugging code in Drupal that would allow plaintext recording of passwords and allow remote attackers to gain privileges of that user?

    If you have information that the NIST is inaccurate, please share, all of the readers will likely appreciate it.  AND it will help out the community.  

    Or if you just wanted to make a negative statement about what I wrote, fair enough, and it is appreciated that people who use Drupal have an attachement to it.  I have special attachments to Microsoft products, and I welcome your input.

    I just got long winded about what you think is misinformed.

    Thank you Reza, really, I do respect your input.

  • This isn't at all a fair comparison.  Those Drupal modules aren't part of Core, and aren't maintained by the Drupal team.  

    What your doing is like saying, "Sharepoint has a security flaw because of a bug in the HP Printer Driver which exposes user accounts"...

    See?

  • Gray,

    Actually it is a direct comparison.  The NVD uses exactly the comparison of the various products that you describe.  Sharepoint is all of the Sharepoint components and the related third party vendors.  When you review the NVD.NIST.GOV, you can see that vendors like Google causes a great deal of problems for Apple and Microsoft.

    Sorry, but the NVD is a level playground.  People have no problem using it against Microsoft, with justification, but the flip side is required as well, when open source has a problem, that also needs to be revealed.

    It appears that Durpal Core needs to fix these problems or get the community to fix them.  These are vulnerabilities, and ignoring them because it isn't the "Core" group is a similar approach that corporations might have.  Microsoft isn't allowed to get away with that, so why should Durpal?

  • I'll make it short and sweet I agree with Kscheirer. Not good comparison.

  • Hey Mike,

    Then what is a good comparison?  If there are poorly created web parts with sharepoint are these the same as poorly created durpal modules?  If that is the case then why not work with the NIST.GOV, as a community, and fix that reporting problem.

    Or, I did review the current listing of errors in sharepoint, using the same string, there were some security vulnerabilites shown.  Most of them related to the use of Excel in sharepoint.  Excel and Sharepoint are not the same products.  One could make the case that Excel is a "Module" of sharepoint.

    web.nvd.nist.gov/.../search-results

    Respectfully, I ask that a reasonable comparison process be given to me and I would use it.  However, it appears that products that are clearly not sharepoint are listed in the NVD for sharepoint.  I ask: How is that not a good comparison?  Maybe the better solution would be to make sure that the fixes are posted so others know that the Drupal core is secure as well as the modules other's might use.

Page 1 of 1 (11 items)
Generic Content

Legal Note:

  1. The author, Sam Stokes, is an employee of Microsoft
  2. There is no guarantee that anything I write is correct, I do try to make sure that what I write is correct.
  3. Use anything written in this blog at your own risk
  4. Test what I write about before using the information
  • Sometimes posts will disappear because I realized that they really don't fit with the total chaos of what I write about
  • Links are tested and available on date of publication, what others do with their links are out of my control

Restrictions:

  • Whatever I write on this blog is unedited by management or anyone, which should be obvious from the randomness of the blog.  I simply write about things I like.
  • Microsoft does not restrict me in anyway, so I generallyblather about whatever I want to.
  • For personal reasons I will not write about:
    • Company confidential stuff, mainly because Microsoft is more transparent than any company I have ever worked for.
    • Other people unless they give me permission to write about them