Elgg Security

I was having a discussion the other day with a few co-workers, 2 sys-admins and a project manager, and they asked me my opinion of Elgg.  From a developers perspective I said I thought it was great, but they had 2 main reservations.  One is security, which I'll detail here, and the other is plugin handling, and I'll start a separate topic on that.

One of the sys-admins actually manages a live elgg 1.7 site, with probably 5000 active users and 120 plugins.  He hates it.  Although he declined to say how (or why he hadn't reported anything), he claimed that with no knowledge of admin credentials, he could compromise the site within 10 min.  We were also talking Drupal, as that's the project I'm on, and he seemed to believe that Drupal is far more secure.  Therefore I'm assuming his potential compromise would be Elgg-core-specific.

I'm not entirely sure I believe his claim, but it does make me wonder - what does everyone else think?  I myself haven't had any problems, but I also haven't really done an assessment.  I know that reasonable measures have been taken to prevent sql injection and cross site scripting, but overall, how does Elgg core security compare to Drupal?

(also, while discussing, if there are any security issues pending please don't be specific enough to make such information public, lets be sensible)

  • Dhrup - There was big emphasis placed on adding security tokens from Elgg 1.5 through Elgg 1.7. I think that was done partially in a response to that class. I wasn't on the core team then so I don't know how much communication occurred, but I think there was some.

  • Friends, since I know a bit of ELGG and lot of Drupal, my two cents:

    Both are VERY secure. Period.

    Drupal has a advantage: Role systems and taxonomy access. The first allows a role system for every plugin, view and action. The plugin exposes the role and you associate the role with a user´s group. And the taxonomy access allows role systems for content. So the content "Cinema" can be read only, and the content "Music" can be read/write.

    Is very mature, but in the other side, is near impossible create a good social network with drupal. Drupal was designed to be a good CMS with social features. Its better than wordpress and maybe is better than 99% of the CMS around the world. But develop new plugins and make trivial tasks like complex profiles and friendship management requires a lot of customization.

    Your "friend" may know that differences and know that ELGG is poor in role systems. But ELGG works very well without it. ELGG is not a CMS, ELGG is a "in a box" social network engine.

    I am thinking about a roles system for ELGG, but is something for the future. I didn´t citated it until now because I am very busy in more important ELGG projects and a feature like it requires ELGG core developer´s support.

    No need to flamewars here. CMS and complex roles = Drupal. Social network and simple roles = ELGG.

  • No flamewar intended.  I understand that both frameworks are ultimately tools, and different tools serve different purposes.  The only reason the comparison was being discussed is because we have one project using Elgg (where Elgg is the appropriate platform for the requirements) and one based in Drupal (where Drupal is also the appropriate choice).

    So when discussing Elgg in that setting, it's only natural that certain aspects get compared to Drupal.  Believe me, when I'm spending a ton of time trying to work out some arcane and poorly documented part of their CCK form API (which is different than the "regular" form API) I make comparisons back to Elgg that put Drupal in a less than stellar light.  This again, is from the developers perspective.

    The question ultimately came down to "Assuming that Drupal is a good benchmark for being production-ready in terms of security, is Elgg production ready?"

    I said: "I think so"

    The one guy said: "Definitely not"

    And the other two said: "I don't know, but based on what he's saying I have my reservations..."

    So thanks for the feedback everyone.  I'll be sharing this thread with the other two interested parties.

  • Matt, good point. And Drupal is hard to develop. And someone had a "great" idea replacing 99% of the plugins with CCK and Views. (CCK to store, views to, well, view). Its a powefull framework, but I like the ELGG API. Its very easy to develop.

    But, again: The Drupal´s role system is powerfull. But, concerning to security, both ELGG and Drupal are very secure. Both cores are higly maintened and have good support from community.

    Talking about Drupal and ELGG is like talking about cars and planes.