Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
WordPress security vs. Textpattern
Is it possible for this sort of thing to happen with Textpattern. If so, how can it be prevented?
Mark
Offline
Re: WordPress security vs. Textpattern
If you ask if it’s possible that someone finds a security issue in Textpattern, then the answer is obviously “yes”. While Textpattern has a pretty good track record when it comes to security (much better than Wordpress), that does not guarantee that it doesn’t still contain a security vulnerability.
There’s only one way to prevent that: carefully check the Textpattern source code for possible vulnerabilities and fix them. Unfortunately, unless you have some basic knowledge of programming and security, it’s not an easy thing to do. It’s very time-consuming. The fact that the TXP code base is getting bigger each release doesn’t help (but who cares as long as we get more new features). Oh and don’t forget plugins which may introduce security vulnerabilities.
What the article you referred to failed to mention is what exactly the security vulnerability was. I suspect it’s this one.
Offline
Re: WordPress security vs. Textpattern
mwr wrote:
Is it possible for this sort of thing to happen with Textpattern.
Actually, it’s like really boring around here, nothing exciting ever happens, makes me want to switch over to Wordpress to get my adrenaline going ;)
Seriously though, Lorelle’s post sounds frightening but Wordpress is at the top, run by millions of people. Whatever happens in that camp is magnified, but the same thing happens in other projects quite frequently.
To reiterate what ruud said, security is up to you, pick wisely.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: WordPress security vs. Textpattern
ruud wrote:
What the article you referred to failed to mention is what exactly the security vulnerability was. I suspect it’s this one.
This particular worm […] uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure
Apparently, WordPress eval()’d the custom permalink pattern in past versions. The worm includes a path component containing eval($_SERVER['HTTP_REFERER']), which obviously opens a few possibilities when used with clout.
I think Textpattern CMS has at least two barriers which reduce (not eliminate) risks as compared to WordPress:
- No unattended user registration, thus smaller attack surface.
- Only four front controller entry points: /index.php, /css.php, /textpattern/index.php, and /rpc/ index.php. WordPress has a few more, and some of them are unintentional.
Offline