Web Application Security (was Re: universe demotion: Moodle)

Stephan Hermann sh at sourcecode.de
Wed Jan 27 09:51:58 GMT 2010

Good Morning Kees and all :)

On Tue, 26 Jan 2010 11:12:50 -0800
Kees Cook <kees at ubuntu.com> wrote:

> Hi Stephan,
> On Tue, Jan 26, 2010 at 07:30:50PM +0100, Stephan Hermann wrote:
> > Is there any effort (despite this mail) to establish a working
> > group to provide a more stable and secure platform of "Ubuntu" for
> > Web Applications?
> Not that I'm aware of; sounds like a great idea.

I thought about that for a long time now, because seeing the situation
of Drupal or Wordpress (forget about typo3 or other webapps here) in
Debian/Ubuntu that not so many people focussing on getting security
updates for those popular webapps. mostly it's a drive by security
patch when people are interested in special situations.

I think we need here a better webapp infrastructure, if we want to push
it into the main pocket.

> > Just read this mail as a start for a discussion to make Ubuntu OS as
> > the No. 1 Platform for Wordpress or Drupal or Typo3 :)
> I'm seriously considering not allowing any web application into main
> without a functional AppArmor profile.  This is especially true for
> anything written in PHP as authors frequently do not follow safe
> input, output, database, or subshell filtering practices, even though
> functions exist to handle it safely.

Is there any good howto/tutorial how to secure a webapp with db access
etc. with AppArmor? 
Btw, I'm not proposing webapps to go into main, but that we have a good
infrastructure to use webapps not from upstream directly but from
Ubuntu/Debian archives (which makes the sysadmin life much easier ;))

> I like Drupal because they try to force module authors into only using
> Drupal interfaces, rather than just arbitrary PHP functions to
> interact with the input, output, and database.  And, Drupal actually
> has a good track-record.  Their security patches are usually clean
> and easy to find. That said, module authors are still getting into
> trouble anyway.

Correct. But that's true for any module/plugin based webapp afaik.

> The security history[1] of extensions with CVEs for any of
> Wordpress(49), Drupal(179), or Typo3(150) is very bad.  :(



| Stephan '\sh' Hermann    | OSS Dev / SysAdmin         |
| JID: sh at linux-server.org | http://www.sourcecode.de/  | 
| GPG ID: 0xC098EFA8	   | http://leonov.tv/          |
| FP: 3D8B 5138 0852 DA7A B83F DCCB C189 E733 C098 EFA8 |

More information about the ubuntu-devel mailing list