Beware Drupal, Joomla! plug-in vulnerabilities

  • 1-Mar-2010

IBM has released its IBM Security Solutions X-Force 2009 Trend and Risk Report, and the news for users of popular WCM platforms Drupal, Joomla!, TYPO3, and WordPress is decidedly mixed.

According to IBM's research, while Apache and PHP account for only 0.4 percent and 0.6 percent (respectively) of total reported vulnerabilities, Drupal accounted for 2.7 percent and Joomla! accounted for 2.6 percent. TYPO3 and WordPress fared somewhat better, at 1.5 and 0.4 percent, respectively.

But the more ominous news has to do with patches for security problems involving plug-ins. A whopping 80 percent of the vulnerabilities reported for Joomla! plug-ins (against 13 percent for Drupal plug-ins) had no available security patches by year's end. That compares to 8 percent of Joomla! core system vulnerabilities that had no known patch, and 18 percent of Drupal core vulnerabilities with no patch. If you're a TYPO3 user, you'll find that 51 percent of plug-in vulnerabilities have no patch (versus just 5% of core system gotchas), while with WordPresss the unpatched plug-in flaws come to 57 percent, versus 13 percent for core.

Bottom line: Systems that are heavily reliant on plug-ins are more apt to have security vulnerabilities for which there is no known patch. Why is this?  Even frequently-used plug-ins are not always actively maintained and enhanced by their original developers.  Our Web CMS evaluation research cites some specific examples across several platforms. 

Our customers say...

"For any digital agency, helping your client choose the right CMS is risky -- get it right and you're the hero, get it wrong and you compromise your entire interactive strategy. Real Story Group's WCM evaluations strengthen our understanding of the true weaknesses and strengths of all the major CMS platforms, enabling us to make expert-validated recommendations to our clients with confidence."

Bill Barbot, Founder, Threespot

Other Web Content & Experience Management posts

TeamSite Marriage Counseling

  • August 12, 2019

Was reminded recently in a call with an RSG subscriber that some TeamSite implementations linger on, like a really bad relationship you can't seem to end. Maybe it's time for counseling?...

What Is a Real Quadrant?

  • July 16, 2019

Customers have a love-hate relationship with marketplace "quadrant" diagrams. You suspect there's something not right in the arbitrary positioning...and you're correct!...

MD