I read your recent report BlindElephant - BlackHatUSA2010 - Community.pdf
In the report you show that all Drupal versions below 6.16 are vulnerable (slide 36 shows this). In fact Drupal's standard is to support 2 major branches of code, currently those are 5.x and 6.x. Users on Drupal 5.22 or 6.16 or 6.17 are currently on the latest recommended release.
Can you clarify if this was an oversight in the report or whether you are claiming that there are critical vulnerabilities in Drupal 5.22?
Hi Greg,
You're absolutely right; I didn't account for parallel code branches. I know that many projects do keep some version of "stable" and "old stable" distributions, and I did give numbers based on the simplifying assumption of a single "latest with no reported vulns" version because it's slightly easier to convey and doesn't meaningfully affect the results.
If I take into account that 5.22 and 5.x-dev have the same security stance as 6.x (latest), the % of folks running versions with advisories against them drops only 1.3% (from 70.59% to 69.3%). I hope you will agree that while it was a simplifying assumption, it doesn't misrepresent the data on the general population. I could have made that explicit in the whitepaper and talk, and I'll make sure to do so in future discussions and updates.
Thoughts?
Cheers,
Patrick
EDIT:
We have released an updated version of the whitepaper and slides to clarify this issue across all fingerprinted projects. See Updates and Clarifications to BlindElephant Web Application Survey Report – Version 2.0 for full information.