Drupal flicks fix to nix OpenID admin account hijack hole Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators. The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system. Drupal's security team say attackers can target unpatched systems if they hold an …
True, many shops go overboard with contrib and this leads to scalability problems, easily enough mitigated with appropriate use of query, object and page caches to relieve the DB.
Compared to some nameless commercial offerings, with DB schemas over-normalised to within an inch of their miserable lives, core Drupal at least is pretty fleet-of-foot.
In our testing stock Drupal (with APC and Drupal caching) couldn't match an old fully-loaded Joomla (without APC). When we added APC to Joomla it was game over.
Please note that I don't like Joomla either, I think all CMSs are a pile of rubbish. But at one site I ended up with APC, Drupal caching, memcached and even then they could only get about 30 req/s.
In the end, I found the best way to get performance out of Drupal was to not use Drupal. And run Varnish on top. Wooooosh! :)
Don't even get me started on PHP code being stored in the database and eval()'ed out. That is insanity.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
