Is it just me or does Joomla suck a bit?

by Cameron

Ok, maybe I shouldn't be so dismissive, and I'm sure the core Joomla application itself isn't written that poorly, but have a look at this...

http://www.milw0rm.com/search.php?dong=joomla

The network of addon scripts for Joomla suffers from some really terrible coding practices. How is it possible SO MANY Joomla addons suffer from SQL injection flaws? Obviously the authors of these modules are not aware of even the most elementary practices when writing secure code, but who's to blame? It's easy to put the voodoo hex on the developers, but these modules are "officially" distributed through the extensions.joomla.org "repository", why isn't there a basic level of code auditing performed? Or at least a giant warning at the top of the site saying "THESE MODULES MOSTLY SUCK, USE THEM AT YOUR OWN RISK". It's not unusual that a CMS dictates a certain level of code quality for extensions to be granted the official seal of approval (e.g. EZ Publish), but at a far less onerous level it is certainly possible to write automated code testing tools to pick up the most obvious flaws.

It's no secret that we here at Doghouse are huge fans of the Drupal CMS, and their security practices are just one of the many reasons. Let's look at the "black hat" vulnerability archive for Drupal...

http://www.milw0rm.com/search.php?dong=drupal

A grand total of 5 - and nothing newer than October 2007! Of course there have been a number of vulnerabilities that were discovered and patched BEFORE they were discovered by exploit authors, but that seems to be the norm for Drupal. Their internal security auditing practices catch bugs before they become a problem. Furthermore, Drupal's vulnerabilities are typically of a less significant nature. Having a look over the Drupal security announcement list...

http://drupal.org/security/contrib

We see that there are fewer exploits in total, and they are mostly cross-site scripting (XSS) vulnerabilities. While these are still issues that need resolving, they are nothing like as goddamn stupid as http://www.milw0rm.com/exploits/8999. I mean, seriously, the id field?

June23

Post new comment

Subscribe to the latest DogHouse
Media tomfoolery!

Is it just me or does Joomla suck a bit?

by Cameron

Post new comment

Subscribe to the latest DogHouse
Media tomfoolery!

In 10 years time, Flash will be a forgotten technology

Google says update your browser... so do we.

Image thumbnail view helper for Zend Framework

How to geocode an address using Google and php

Suppressing errors with PHP's @ operator

Turn an old PC into a media centre with boxee

How Google Maps Can Benefit You

The Rise of Magento

A Month and Half in the DogHouse

Drupal as an MVC framework?

Is it just me or does Joomla suck a bit?

What is Open Source? And why do we use it?

Tech job market a bit tough? Learn Linux!

Web 2.0 - State of Mind?

HTML name attribute deprecated?

Zend Framework, lazy-loaded Dojo Tabs and Javascript

The BDP

Dynamic properties in classes?

What should you buy me for Christmas?

You wouldn't read about it

Is it just me or does Joomla suck a bit?

by Cameron

Post new comment

Subscribe to the latest DogHouse Media tomfoolery!

Subscribe to the latest DogHouse
Media tomfoolery!