On Tue, Sep 15, 2009 at 6:36 PM, Benjamin Lees <emufarmers(a)gmail.com> wrote:
On Tue, Sep 15, 2009 at 1:38 PM, Gregory Kohs
<thekohser(a)gmail.com> wrote:
My favorite part of that article: "Even the open source MediaWiki software
has more than its fair share of security vulnerabilities." As written, this
suggests that there are unpatched security vulnerabilities; I can
only assume the author meant that the software has _had_ more than its share
of vulnerabilities. Even still, that seems like a made-up claim: I suspect
that a quantitative study would show that MediaWiki has actually
had fewer security vulnerabilities than comparable software (and that's not
even counting the disparity in severity/exploitability that Aryeh notes).
WordPress, for instane, has 183 entries on the NVD; phpBB has 240. (Analysis
using the NVD is somewhat unfair, since it seems to make no distinction
between the core software and extensions or derivatives. It's also unclear
how comprehensive the NVD is, given that they don't have an entry for the
XSS vulnerability Aryeh mentioned.)
Beyond that, I think the article misses the point of open source as regards
security. Open source development doesn't automatically prevent holes from
appearing (though it can, since code will have more eyes on it before
it's deployed); it makes it easier to identify and patch them. Of course,
it would be difficult to compare the number of vulnerabilities
in open-source software to that in closed-source software, since open-source
software developers usually try to publicize vulnerabilities as much as
possible, while closed-source software developers usually want to avoid
disclosing vulnerabilities.
On Tue, Sep 15, 2009 at 5:12 PM, Aryeh Gregor <
Simetrical+wikilist(a)gmail.com <Simetrical%2Bwikilist(a)gmail.com>> wrote:
Compare to WordPress, where
if you don't keep up-to-date you can get your server taken over and
used to send spam (this has been happening recently, I've heard). Not
only is that worse for you, it's much more profitable for attackers,
so you're likely to see more widespread automatic exploitation. I
haven't heard of widespread exploitation of any MW security
vulnerability, although it's possible it's happened.
I haven't even heard of _isolated_ exploitation of MediaWiki security holes,
let alone anything widespread. Aren't most MW vulnerabilities discovered
through audits, code review, or third-party reporting, rather
than demonstrated exploitation?
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Last point is dead-on. Almost all of our security issues that I can
remember come in as bugs--or e-mails to security(a)wikimedia.org--
that describe a potential attack vector and possibly a use-case to
trigger the described issue. This is how almost all of our bugs are
reported and fixed. Major security issues (the XSS ones in the
installer is a great example) usually get an immediate patch and
release. These are almost always backported to the still supported
releases.
The thing that the vulnerability list does not take into account is that
old releases are no longer supported. I'm sure there's a whole lot of
unpatched vulnerabilities in 1.8 or 1.9. These versions are also
unsupported. If you come looking for help in #mediawiki and you're
running an outdated version, the most help you'll get is helping you
upgrade.
We drop old versions after awhile because it's impossible to maintain
an infinite number of back releases. I'm sure there's buffer overflow
possibilities in Word 97 that don't exist in Word 2007. We don't see
people flipping out over that, do we. Upgrade and these issues quickly
become non-issues, period.
Current security issues deserve investigation and fixing, bugs from old
and unsupported releases don't, and that site is pretty much a list of the
the latter.
-Chad