1.4. The Most Common Vulnerabilities
Looking back at all security announcements that have been posted on drupal.org since 2005, you can see which are the most common types of vulnerabilities; the vulnerabilities by type for Drupal core that have been contributed since they were reported publicly are shown in Table 1-1. Cross-site scripting is the single most common issue. The ratio of problems is relatively consistent between core and contributed modules.
This table shows us that over time the most common problem has been cross-site scripting, which is also a very dangerous problem. Recent changes to Drupal core will help to reduce this problem somewhat, but it is still one of the biggest areas that need attention.
Comparing core versus contributed modules, it's clear that contributed modules are a source of a lot more occurrences—more than two times as many—although when you look at vulnerabilities per line of code, core has had more announced vulnerabilities than contributed modules. Of course, this analysis covers only the issues that were reported to the Drupal security team. There are many more issues that haven't been found yet or that a maintainer silently fixed.
| VULNERABILITY | OCCURRENCES | OCCURRENCES AS A PERCENT OF THE TOTAL |
|---|---|---|
| XSS | 55 | 44 |
| Access bypass | 17 | 14 |
| CSRF | 12 | 10 |
| SQL injection | 12 | 10 |
| Code execution | 10 | 8 |
| Clarifications and announcements | 4 | 3 |
| Session fixation | 3 | 2 |
| Privilege escalation | 2 | 4 |
| Arbitrary file upload | 2 | 4 |
| Mail header ... |
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
