I'm helping a client do a security audit of one of their servers. A couple of their sites are running Joomla, which I have very little experience with, so as part of this I set out to compile a list of available exploits to compare against their Joomla versions and installed components. What I discovered was frankly stunning.
|Platform||Number of exploits|
It's important to emphasize that just one critical hole in your site is enough, so running Drupal or Typo3 might still get you hacked. However, it's clear that the Joomla community has a very serious security problem. Judging from the number of SQL injection exploits on the list it seems like it might be a question of educating contributors.
I believe that Drupal's low number is a strong testament to the benefits of hosting contributed code on drupal.org. This approach means that:
- You need to apply for a CVS account and as part of that your first contributed code by someone experienced.
- Hosted code is audited by the .
A low bar of entry for new contributors is great, but can be dangerous without a strong security support structure.
Note: A of this entry is available over at the blog.