I read your recent report BlindElephant - BlackHatUSA2010 - Community.pdf
In the report you show that all Drupal versions below 6.16 are vulnerable (slide 36 shows this). In fact Drupal's standard is to support 2 major branches of code, currently those are 5.x and 6.x. Users on Drupal 5.22 or 6.16 or 6.17 are currently on the latest recommended release.
Can you clarify if this was an oversight in the report or whether you are claiming that there are critical vulnerabilities in Drupal 5.22?
Yes, from looking at the charts it was clear that it wouldn't impact the results very much.
Thanks for entertaining the feedback and updating the pdf/slides.
On slide 55 of the presentation you point at the "File upload" vulnerability with the bubble "Wha-whaaa" - I guess that's a sad-trombone sound? Can you clarify the intent and context of using that SA and that vulnerability from that SA? I guess ideally I'd love to see a video of your presentation, but I can't find it online (only mentions of the stream getting hacked...).
Hi Greg,
You're absolutely right; I didn't account for parallel code branches. I know that many projects do keep some version of "stable" and "old stable" distributions, and I did give numbers based on the simplifying assumption of a single "latest with no reported vulns" version because it's slightly easier to convey and doesn't meaningfully affect the results.
If I take into account that 5.22 and 5.x-dev have the same security stance as 6.x (latest), the % of folks running versions with advisories against them drops only 1.3% (from 70.59% to 69.3%). I hope you will agree that while it was a simplifying assumption, it doesn't misrepresent the data on the general population. I could have made that explicit in the whitepaper and talk, and I'll make sure to do so in future discussions and updates.
Thoughts?
Cheers,
Patrick
EDIT:
We have released an updated version of the whitepaper and slides to clarify this issue across all fingerprinted projects. See Updates and Clarifications to BlindElephant Web Application Survey Report – Version 2.0 for full information.