Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Is it a Security Risk for Nodes to Have Authorship of "Anonymous" (uid=0)
Hi folks,
Is it a security risk for nodes to have a uid = 0?
I have a client in which I took over an existing site which was migrated from another CMS. The developer migrating the site assigned all the content to uid = 0 (About 1200 nodes).
My gut hates this, but before I tell the client it is a security risk, I want to know why, if it is.
The only thing I can think of is if the anonymous user role had the permission, "edit own content" or some other node permissions.
I would never assign those roles to Anonymous and I'm the only who can assign permissions on the site.
Read moreDrupal Installations Attacked
My server was attacked and code files added and changed on four of about twenty drupal installations I have on the server.
I think I discovered this within 24 hours of it happening.
I've deleted inserted files and reverted changed files back to their previous state. Having these sites under SVN control has been hugely helpful.
As far as I can tell the sites are functioning normally and the databases intact. But I need to do further investigation.
Here is my set-up and what I know.
Read moreRevisiting: Goals of Drupal Security Team - Part 1 brainstorming
From our page in the handbook The security team's stated goals are:
- Resolve reported security issues.
- Provide assistance for contributed module maintainers in resolving security issues.
- Provide documentation on how to write secure code.
- Provide documentation on securing your site
Hacked with c999 shell
Hi All, I was wondering doesn anyone have any info on how to remove the c999 shell from a hacked Drupal install. The hacker was able to upload a file through an old Drupal 6 website which installed this shell in some way. The script that did this was uploaded from the /files/images/ directory. We have upgraded the whole website (core and third party modules) and have it running on a local system now again. However, when browsing some pages, e.g.
Read moreHow to Check Database for Code / Script Injections
I have a question, not sure where to post it. I suffered a hack to a Drupal site. I suspect that the hacker got in through the hosts admin panel and thereby got access to the root via FTP, the Database, everything. I want to be sure that no malicious script or code was injected into the database. Is there a protocol for checking this, specific to the Drupal DB?
If there is a better place to post this, please advise & thanks in advance.
Read moreCross site scripting report on Acunetix vulnerability scanner tool
I got the report from Acunetix tool that site have more than 50 cross site scripting possibilities through url. The tool is reporting the following urls. They are changing urls like /nodeprompt("hi") ; and reporting cross site scripting possibilities. How to solve this in Drupal. Please suggest any one. I post the fix once identified.
/_vti_bin
/content
/misc
/modules
/modules/node
/modules/system
/modules/user
/node
/sites
/sites/all
/sites/all/modules
/sites/all/modules/addthis
/sites/all/modules/cck
/sites/all/modules/cck/modules
Javascript exploit filter
Is there a posibility / module to filter exploided javascript? My editors like to add embeded javascript to the site for new (eg Google Plus) or less used services, but I don't want create security holes by this.
Read moreDrupal Scout Security Training: Learn to attack and protect your site July 25th
On July 25th, just after the Capital Camp, Ben Jeavons and Greg Knaddison from Drupal Scout will be giving a training about how to secure your Drupal site.
The full day course is 450ドル.
It is broken apart into several sections:
- Introduction to philosophy of development with a security focus
- Overview of most common vulnerabilities
- Specific review of Drupal's most common problems
- Cross Site Scripting (XSS)
- Spam/automation
- Cross Site Request Forgeries CSRF
Master - Slave Solution
Hi,
Please bear with me if i am creating this question in the wrong place i am new to Drupal groups.
I manage an enterprise solution for 4 drupal sites very high transactional and with high traffic.
i use pressflow on 6 web servers with memcached and a master slave replication, they seem to be fine but i want to reduce the load on the master so i want to make 2 slave part of the solution, since i am using pressflow with supports master-slave replication solution.
The way we do security vs. bug fix releases is confusing the crap out of people
On the thread about a predictable release cycle for core, a large sub-thread opened up about the fact that everyone, including Dries, hates the way we do security vs. bug fix releases. It's confusing and unclear.
The current policy, explained
I couldn't actually find a handbook page explaining the current policy, so I made one. Here's a copy/paste of that here.
Read moreFlat files on front end server security issue
I am working on installing a Drupal site that allows users to store and display files (.doc, .pdf, .xls, etc) files at a high end secure data center with DMZs and the like. The customer's data center doesn't allow them to have web applications that store flat files on the front end web server machine.
Read moreComodo Certificate Installation: Apache & mod_ssl | ComodoSSLstore.com
Last updated by comodosslstore on Tue, 2011年04月19日 09:49
Installing your Certificate on Apache with mod_ssl
1. Extract all of the contents of the ZIP file that was sent to you and copy/move them to your server. The extracted contents will typically be named: yourDomainName.crt and yourDomainName.ca-bundle
Note: If you received several .crt files in your ZIP file please use this article to make yourDomainName.ca-bundle
2. Move all of the certificate related files to their appropriate directories.
A typical setup:
Read moreNew French laws on security/privacy - Personally Identifiable Information
Crossposted to security group and France group, my apologies for not being able to write this in French. Comments are welcome in French or English, of course.
There are some new French laws on user information and how it is handled which seem to have implications for security.
Hacker News has a thread about this that talks about the actual requirements which seem to be compatible with the way Drupal core works.
Read moreDrupal 6 file permissions on shared host
Hello!
I have installed the module "security review" and it notify me that I have the wrong file permissions.
I have not done any configuration to the file permissions since I recently installed drupal.
My settings
Folder 755 (except for sites/default folder that has 555)
Files 644 (except for settings.php that has 444)
The security review module tells me that everything under sites, modules and themes have the wrong file permissions. (basically the whole drupal installation)
Read moreSecure Drupal and Drupal 7
I am implementing a site that will contain some information that should be secure. I looked up various posts and modules about security and it seems that by default all passwords are sent in clear text across the Internet in D6.
I found little to no information on securing D7 logins or pages.
Is there a simple solution to force the site into https?
Thanks for any advice,
Matt
Read moreDrupal Sites with PHI
I am trying to build a new Patient Portal site for exposing Personal Health Record information to meet Meaningful Use measures of timely access for out EHR. I am planning to expose that PHI through a web service from our EHR and build a custom module in Drupal to make that data accessible through the portal.
I am looking for examples of sites in production or development that expose Protected Health Information through Drupal.
Read moreSecurity updates and profiles/distributions (especially those hosted outside of d.o)
What tools or processes should we follow for profiles that are hosted off drupal.org when they need to be updated for security reasons.
Currently, all of the modules they use that are hosted on drupal.org will get proper security updates but this could be confusing to the end user (if the profile itself hasn't been upgraded to that module).
What about modules that are hosted elsewhere?
What if the download file is only available from other sites and not packaged on drupal.org?
Read moreSecurity session, training, BOF at Drupalcon Chicago
First, if you haven't already you should sign up for Drupalcon Chicago.
This year we've got a relatively small number of sessions at Drupalcon Chicago about security.
- Drupal Security for Coders - this is a presentation on the most common attack scenarios and how to code/configure to protect against them
Securely managing a large number of drupal sites
Hey guys - So, keeping track of what updates are needed on a Drupal site isn't too bad, but what about if you're running 50 sites? I've looked around a few times over the last few months, but I've never found any good discussion on this topic.
I'm building out a new secure Drupal hosting service, and while I'll be able to manage this for the first few months by hand, presuming things go well, it will quickly become more work than I'd like to do, just keeping inventory of the sites, figuring which sites have security patches, etc.
Read moreRedundant database security
This is a cross-post and slight edit of a portion of a post I made in the Usability group concerning my reactions as a Drupal pre-install newbie over the course of the recent Bay Area Drupal camp (BADCamp). This does not concern any specific Drupal vulnerability as I don't know of any vulnerability or even if what follows is accurate. It is just a result of seeing various published Drupal security reports and putting that together which what I saw at BADCamp plus some thoughts of my own. I have not looked at Drupal source code.
Read more