Comparison of PHP-based CMS

You are using or consider to use Open Source CMS TYPO3? Have a look below to understand why TYPO3 is a good choice in regards to security.

Of course I'm biased due to being member of the TYPO3 Security Team. However, I'm trying to compare Drupal, eZ Publish, Joomla and TYPO3 as impartial as possible based on facts.

 

Number of Security Advisories

2008

Drupal	eZ Publish	Joomla	TYPO3
11	4	8	3
SA-2008-005	EZSA-2008-001	CVE-2008-1533	TYPO3-20080611-1
SA-2008-006	EZSA-2008-002	CVE-2008-5671	TYPO3-20081113-1
SA-2008-007	EZSA-2008-003	CVE-2008-3225	TYPO3-20081113-2
SA-2008-018	EZSA-2008-004	CVE-2008-3681
SA-2008-026		20080901
SA-2008-044		20080902
SA-2008-046		20080903
SA-2008-047		20080904
SA-2008-060		20081101
SA-2008-067		20081102
SA-2008-073

You probably notice the mixture of advisory IDs and link ressources for Joomla. The reason for this is that they late in 2008 started to list advisories on their website in a common way. Prior advisories are either no longer available or hidden in Joomla upgrade news posting.

 

2009 (as of October 26th)

Drupal	eZ Publish	Joomla	TYPO3
8	5	15	3
SA-CORE-2009-001	EZSA-2009-001	20090101	TYPO3-SA-2009-001
SA-CORE-2009-002	EZSA-2009-002	20090102	TYPO3-SA-2009-002
SA-CORE-2009-003	EZSA-2009-003	20090301	TYPO3-SA-2009-016
SA-CORE-2009-004	EZSA-2009-004	20090302
SA-CORE-2009-005	EZSA-2009-005	20090601
SA-CORE-2009-006		20090602
SA-CORE-2009-007		20090603
SA-CORE-2009-008		20090604
		20090605
		20090606
		20090722
		20090722
		20090723
		20091103
		20091103

Conclusion

 

How to interpret above numbers?

Well, TYPO3 administrators do need to upgrade the CMS Core due to security fixes less often than any other CMS listed here.

 

Total of Common Vulnerability Scoring System

CVSS (Common Vulnerability Scoring System) is a framework to standardize vulnerability scoring (aka severity). A number of individual vulnerability characteristics are derived to a final score.

Therefore it allows to compare vulnerabilities across domain boundaries.

CVSS v2 Base Score 2008

Drupal	eZ Publish	Joomla	TYPO3
167.2	- / -	55.3	19.4
4.3	no CVE available	6.8	6.5
4.3		7.5	4.3
2.6		10.0	4.3
3.5		7.5	4.3
4.3		7.5
6.4		7.5
4.3		5.0
5.0		3.5
6.8
4.3
7.5
7.5
4.3
3.5
6.5
5.8
5.8
5.5
5.0
6.0
6.0
6.0
6.0
7.5
3.5
9.3
7.5
6.4
4.3
7.5

 

CVSS v2 Base Score 2009 (as of November 5)

Drupal	eZ Publish	Joomla	TYPO3
27.9		27.3	83.0
4.3	no CVE available	5.0	5.0
4.3		2.6	7.5
3.5		6.8	4.3
6.5		4.3	10.0
4.3		4.3	5.0
5.0		4.3	4.3
			4.0
			3.5
			4.0
			8.5
			6.5
			4.3
			4.3
			7.5
			4.3

 

 

CVSS v2 Base Score 2010 (as of January 30)

Drupal	eZ Publish	Joomla	TYPO3
n/a	n/a	n/a	n/a
no CVE available	no CVE available	no CVE available	n/a

 

 

Conclusion

 

How to interpret above numbers?

Well, reported TYPO3 vulnerabilities in overall are less severe than those of Drupal or Joomla.

 

• About
• Blog
• Tutorials
• CMS comparison
• Sitemap

Content

• Number of Security Advisories
• Total of Common Vulnerability Scoring System