On Tue, Sep 15, 2009 at 1:38 PM, Gregory Kohs <thekohser(a)gmail.com> wrote:
My favorite part of that article: "Even the open source MediaWiki software
has more than its fair share of security vulnerabilities." As written, this
suggests that there are unpatched security vulnerabilities; I can
only assume the author meant that the software has _had_ more than its share
of vulnerabilities. Even still, that seems like a made-up claim: I suspect
that a quantitative study would show that MediaWiki has actually
had fewer security vulnerabilities than comparable software (and that's not
even counting the disparity in severity/exploitability that Aryeh notes).
WordPress, for instane, has 183 entries on the NVD; phpBB has 240. (Analysis
using the NVD is somewhat unfair, since it seems to make no distinction
between the core software and extensions or derivatives. It's also unclear
how comprehensive the NVD is, given that they don't have an entry for the
XSS vulnerability Aryeh mentioned.)
Beyond that, I think the article misses the point of open source as regards
security. Open source development doesn't automatically prevent holes from
appearing (though it can, since code will have more eyes on it before
it's deployed); it makes it easier to identify and patch them. Of course,
it would be difficult to compare the number of vulnerabilities
in open-source software to that in closed-source software, since open-source
software developers usually try to publicize vulnerabilities as much as
possible, while closed-source software developers usually want to avoid
disclosing vulnerabilities.
On Tue, Sep 15, 2009 at 5:12 PM, Aryeh Gregor <
Simetrical+wikilist(a)gmail.com <Simetrical%2Bwikilist(a)gmail.com>> wrote:
Compare to WordPress, where
if you don't keep up-to-date you can get your server taken over and
used to send spam (this has been happening recently, I've heard). Not
only is that worse for you, it's much more profitable for attackers,
so you're likely to see more widespread automatic exploitation. I
haven't heard of widespread exploitation of any MW security
vulnerability, although it's possible it's happened.
I haven't even heard of _isolated_ exploitation of MediaWiki security holes,
let alone anything widespread. Aren't most MW vulnerabilities discovered
through audits, code review, or third-party reporting, rather
than demonstrated exploitation?