Security

Events happening in the community are now at Drupal community events on www.drupal.org.

Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Recommendation for Drupal 7 Books that cover security?

Posted by RedUhl on October 29, 2012 at 8:53pm

I looked at the two books suggested but they are for Drupal 6. Is there a good book that handles security for Drupal 7?

Read more

Drupal Development Best Practices Training in Downtown Los Angeles on November 16, 2012

Posted by christefano on October 21, 2012 at 8:07pm
Start:
2012年11月16日 10:00 - 17:00 America/Los_Angeles
Event type:
Training (free or commercial)

Join us on November 16, 2012 in Downtown Los Angeles for Drupal Development Best Practices, a full day of Drupal training! This training is being produced by Exaltation of Larks, a Drupal strategy, development, consulting and training firm with a team of experts in Los Angeles.

Sign up today at http://www.larks.la/training

Exaltation of Larks - Expert Drupal strategy, consulting, development and training This one-day workshop gives you a comprehensive tutorial on the right way to manage your Drupal website. You'll learn about version control for your code and ways to manage changes in your data. You’ll also see how the Features module can enable you to keep your configuration changes in version control.

We'll cover industry-approved deployment strategies that let you move smoothly through development, testing and live environments. You’ll get a high-level overview of how to modify the way your site looks by sub-theming, preventing hours of frustration should your original theme be updated.

What you will learn:

  • Using version control with Drupal
  • Maintaining development, testing and production environments
  • Managing configuration changes using the Features module
  • Creating a basic sub-theme
  • Creating a basic module
  • Understanding Drupal’s API and the hook system
Read more

Enabling the overlay module for anonymous: Security risks

Posted by cubeinspire on October 21, 2012 at 8:03pm

Hi,

I'm reviewing a sandbox project for Drupal7 called Overlay Links that encourage to enable the overlay module for anonymous users.
review comment: http://drupal.org/node/1811482#comment-6609236

I've read on some blog that doing this have security concerns, but there was no more details about that.
blog link: http://www.drupalgardens.com/documentation/site-management/admin-theme

Do you have any details about the security implications of enabling the permission Access the administrative overlay to anonymous users ?

Read more
5 comments Categories: ,

Encrypting and decrypting content in Drupal

Posted by greggles on October 1, 2012 at 4:43pm
Last updated by chandeepkhosa on Mon, 2017年11月06日 11:15

There are at least two modules to do encryption in Drupal. This page compares those modules to help people choose a good one.

Last updated: 6 November, 2017

  • Encrypt
    • Includes multiple encryption methods from simple to complex depending on libraries available on the server
    • Focused on being a simple API that doesn't do much on its own
    • Uses CTools plugins for encryption methods and key providers
    • Contains unit tests for all the features
Read more

Let's implement the sanitization bazooka: Autosanitization

Posted by geek-merlin on September 18, 2012 at 1:09pm

Abstract

Wrong sanitization of user supplied strings, resulting in CSRF security issues, accounts for the vast majority of security announcements. Autosanitization (exactly: proper context stack aware autosanitization) would be the bazooka to end this once and for all. It is in reach und would be a unique feature among notable open source frameworks. The implementation requirements are described. Research is needed as of the D8 core requirements necessary to implement this in contrib land.

Anatomy of a sanitization issue

Consider a node title that is rendered like this:

Read more

Security team documentation now public - please help edit!

Posted by greggles on August 29, 2012 at 4:41pm

For a long time the security team documentation has grown in fits and starts inside of security.drupal.org with a somewhat challenging organization. About 9 months ago I started a process to archive unnecessary/outdated items, consolidate the good stuff, and organize it into a single google document for editing to allow people outside the team to help. Since then, several people helped out and in the last week (starting at Drupalcon Munich) Ben Jeavons and I moved it all to public book pages on Drupal.org. You can now find the previously private content inside:

Read more

Planning for Security implications of using external libraries

Posted by greggles on August 28, 2012 at 3:41pm
Last updated by scor on Tue, 2012年08月28日 16:52

At Drupalcon Munich there was some discussion about introducing Symfony into Drupal and what that will mean for our security processes. Let's document our ideal scenarios for what we want an external library's maintainers to do before we incorporate it into Drupal. This should provide a framework for discussion with Symfony, but also potentially other libraries (e.g. Guzzle).

  • The project should have a simple, well documented way to report bugs
Read more

Drupal Security Sprint (s.d.o, security issues)

Posted by greggles on August 20, 2012 at 11:19am
Start:
2012年08月24日 09:00 - 17:00 Europe/Berlin
Organizers:
Event type:
Sprint
  • Interested in joining the Drupal Security Team?
  • Want help to fix a vulnerability in a module you maintain?
  • Want to learn about the team's process by helping us edit our own documentation and publishing it on drupal.org?
  • Want to work on core security improvements with like-minded individuals

Come work with some of Drupal's Security Team members at Drupalcon Munich.

Having some skills in writing secure code are helpful for some of the tasks, but not all.

Read more

Blogs and security

Posted by joyseeker on August 3, 2012 at 6:03am

Hopefully, this is the best place to post this -- if not, I'd love some direction where to find answers.

I have a D6 site with blogs, and my database is being attacked. There's spam comments in the database, but since I have comments turned off for now, they do not display. I even have the site set up to approve registration, but I see from the Drupal logs that people are becoming active without my intervention.

On StatCounter, I see 2 types of URLs that may have clues -- can you tell me what type of attack it is? And maybe how to prevent it?

Read more

Mirror Drupal.org - Possible?

Posted by wrfeldmann on July 27, 2012 at 7:42pm

I have a situation where a few of our drupal installations are not allowed to access the internet. They can be accessed from the internet. Because of this, the Reports page always shows that Drupal core update status, HTTP request status, Module and theme update status Fail to get available update data or just plain fail.

Read more

SFTP for update manager uploading of themes in Drupal 7

Posted by gwhiz on July 20, 2012 at 7:29am

We are trying to understand how to use the Drupal7 update manager UI to install themes using the Appearance tab->install new theme box interface.

What is the flow of operation / modules when a URL is pasted into the admin UM UI dialogue?

Read more
10 comments Categories: , ,

Writing code to disk securely

Posted by Crell on July 4, 2012 at 6:29am

Greg asked me to post this here as a notice. There's a discussion in the Core issue queue about ways to write generated code to disk in a secure fashion. I won't reiterate everything from that thread, other than we think we've found a solution but it needs vetting from the security team. Any input there would be welcome. Thanks.

Read more

Drupal modules for Two-Factor-Authentication

Posted by greggles on June 6, 2012 at 10:48pm
Last updated by kim.pepper on Mon, 2024年03月25日 04:00

Two factor authentication is becoming more popular as more and more sites get hacked based on password alone.

  • Two Factor Auth - A framework to support a variety of methods as the second factor. The TFA Basic modules provides support for TOTP, recovery codes and SMS via Twilio. These modules are used on drupal.org to provide two factor authentication.
  • GA Login uses the Google Authenticator software and smartphone app
Read more

ENHANCING SECURE CODE REVIEW MODULE

Posted by udaksh on May 31, 2012 at 3:19pm

Hello all ,

I am doing GSoC project on enhancing secure code review that is an automated tool to locate vulnerabilities in the code .

You can find my project page on this link :-Security Review and GSoC Project proposal here :- Proposal on Melange

I have an approach that can help in locating xss vulnerabilities .Please provide me your feedback,suggestions and your opinions about this approach.

Read more

Dealing with Denial of Service

Posted by greggles on May 23, 2012 at 12:26pm

There's a Drupalcon munich proposal about DOS but I thought maybe we could discuss it here as well in advance (or in case it's not accepted).

What kinds of attacks are people saying? Drupal specific, generic?

What tools do you use to defend against the attacks? What seem most effective? Any tools that you use regardless of budget or even if the budget is small?

Read more

security docs update

Posted by greggles on May 22, 2012 at 9:41pm

There's a comment on the impersonating a user safely documentation page that says it needs to be updated. I'll admit I haven't tried this out and am unsure. Can anyone say whether this is the right way to do it?

It's probably worth doing a general review of all the security docs pages on a regular basis.

Some top level pages that people can review:
* Writing secure code
* Secure Configuration

We should review those top level pages and the sub-pages.

Read more
Categories:

Response to Drupal 7.14 <= Full Path Disclosure Vulnerability

Posted by greggles on May 14, 2012 at 2:17am

There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"

As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Please help improve that page to provide any additional, useful guidance.

Edit: For search engines: This has now been assigned CVE-2012-2922.

Read more
4 comments Categories:

Site hacked

Posted by Aleet on May 4, 2012 at 12:38am

Hello, I have a 4.7.11 site that is suddenly displays rotating ads below the footer: http://projectharambee.org/

I didn't find anything changed in index.php in the root and page.tpl.php in the bluemarine theme folder.

The code for the ad does NOT show up in the source code of the page output. I don't understand how that is possible.

Would you please suggest what else to check and how to prevent this from happening in the future?

Read more

Disable execution of PHP in the files/ directory

Posted by greggles on April 20, 2012 at 9:57pm

SA 2006-006 makes it impossible to execute php inside the Drupal files directory on Apache servers. This is a defense in depth mechanism along with things like file_munge_filename and file extension limits in php.

Windows doesn't benefit from that change since the change was in .htaccess.

Is there a way to prevent IIS from executing files inside a specific directory? Is there some way we can bundle that up and ship it with Drupal like the web.config?

Read more
4 comments Categories: ,

Charging clients for when Drupal security updates cause incompatibility issues

Posted by itomic on April 15, 2012 at 12:47am

(please note that I write this article as a business owner, not an experienced Drupal dev!)

Our company charges an annual fee for identifying and applying security updates/patches for the Drupal sites we've designed, built, host and maintain.

Read more
Categories:
Subscribe with RSS Syndicate content

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /