On Tue, Sep 15, 2009 at 1:38 PM, Gregory Kohs thekohser@gmail.com wrote:
My favorite part of that article: "Even the open source MediaWiki software has more than its fair share of security vulnerabilities." As written, this suggests that there are unpatched security vulnerabilities; I can only assume the author meant that the software has _had_ more than its share of vulnerabilities. Even still, that seems like a made-up claim: I suspect that a quantitative study would show that MediaWiki has actually had fewer security vulnerabilities than comparable software (and that's not even counting the disparity in severity/exploitability that Aryeh notes). WordPress, for instane, has 183 entries on the NVD; phpBB has 240. (Analysis using the NVD is somewhat unfair, since it seems to make no distinction between the core software and extensions or derivatives. It's also unclear how comprehensive the NVD is, given that they don't have an entry for the XSS vulnerability Aryeh mentioned.)
Beyond that, I think the article misses the point of open source as regards security. Open source development doesn't automatically prevent holes from appearing (though it can, since code will have more eyes on it before it's deployed); it makes it easier to identify and patch them. Of course, it would be difficult to compare the number of vulnerabilities in open-source software to that in closed-source software, since open-source software developers usually try to publicize vulnerabilities as much as possible, while closed-source software developers usually want to avoid disclosing vulnerabilities.
On Tue, Sep 15, 2009 at 5:12 PM, Aryeh Gregor < Simetrical+wikilist@gmail.com Simetrical%2Bwikilist@gmail.com> wrote:
Compare to WordPress, where if you don't keep up-to-date you can get your server taken over and used to send spam (this has been happening recently, I've heard). Not only is that worse for you, it's much more profitable for attackers, so you're likely to see more widespread automatic exploitation. I haven't heard of widespread exploitation of any MW security vulnerability, although it's possible it's happened.
I haven't even heard of _isolated_ exploitation of MediaWiki security holes, let alone anything widespread. Aren't most MW vulnerabilities discovered through audits, code review, or third-party reporting, rather than demonstrated exploitation?