Security

Events happening in the community are now at Drupal community events on www.drupal.org.

Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Is it a Security Risk for Nodes to Have Authorship of "Anonymous" (uid=0)

Posted by Shai on September 22, 2011 at 4:42pm

Hi folks,

Is it a security risk for nodes to have a uid = 0?

I have a client in which I took over an existing site which was migrated from another CMS. The developer migrating the site assigned all the content to uid = 0 (About 1200 nodes).

My gut hates this, but before I tell the client it is a security risk, I want to know why, if it is.

The only thing I can think of is if the anonymous user role had the permission, "edit own content" or some other node permissions.

I would never assign those roles to Anonymous and I'm the only who can assign permissions on the site.

Read more

Drupal Installations Attacked

Posted by Shai on September 15, 2011 at 2:34pm

My server was attacked and code files added and changed on four of about twenty drupal installations I have on the server.

I think I discovered this within 24 hours of it happening.

I've deleted inserted files and reverted changed files back to their previous state. Having these sites under SVN control has been hugely helpful.

As far as I can tell the sites are functioning normally and the databases intact. But I need to do further investigation.

Here is my set-up and what I know.

Read more

Revisiting: Goals of Drupal Security Team - Part 1 brainstorming

Posted by greggles on August 22, 2011 at 6:23pm
Last updated by greggles on Wed, 2016年11月23日 14:17

From our page in the handbook The security team's stated goals are:

  • Resolve reported security issues.
  • Provide assistance for contributed module maintainers in resolving security issues.
  • Provide documentation on how to write secure code.
  • Provide documentation on securing your site
Read more

Hacked with c999 shell

Posted by amax on August 19, 2011 at 12:50pm

Hi All, I was wondering doesn anyone have any info on how to remove the c999 shell from a hacked Drupal install. The hacker was able to upload a file through an old Drupal 6 website which installed this shell in some way. The script that did this was uploaded from the /files/images/ directory. We have upgraded the whole website (core and third party modules) and have it running on a local system now again. However, when browsing some pages, e.g.

Read more

How to Check Database for Code / Script Injections

Posted by RKopacz on August 13, 2011 at 12:30pm

I have a question, not sure where to post it. I suffered a hack to a Drupal site. I suspect that the hacker got in through the hosts admin panel and thereby got access to the root via FTP, the Database, everything. I want to be sure that no malicious script or code was injected into the database. Is there a protocol for checking this, specific to the Drupal DB?

If there is a better place to post this, please advise & thanks in advance.

Read more
10 comments Categories:

Cross site scripting report on Acunetix vulnerability scanner tool

Posted by navaneeth_r on August 4, 2011 at 7:32am

I got the report from Acunetix tool that site have more than 50 cross site scripting possibilities through url. The tool is reporting the following urls. They are changing urls like /nodeprompt("hi") ; and reporting cross site scripting possibilities. How to solve this in Drupal. Please suggest any one. I post the fix once identified.

/_vti_bin
/content
/misc
/modules
/modules/node
/modules/system
/modules/user
/node
/sites
/sites/all
/sites/all/modules
/sites/all/modules/addthis
/sites/all/modules/cck
/sites/all/modules/cck/modules

Read more

Javascript exploit filter

Posted by Jurjen de Vries on July 19, 2011 at 3:19pm

Is there a posibility / module to filter exploided javascript? My editors like to add embeded javascript to the site for new (eg Google Plus) or less used services, but I don't want create security holes by this.

Read more

Drupal Scout Security Training: Learn to attack and protect your site July 25th

Posted by greggles on June 23, 2011 at 5:18pm
Start:
2011年07月25日 09:00 - 17:00 America/New_York
Organizers:
Event type:
Training (free or commercial)

On July 25th, just after the Capital Camp, Ben Jeavons and Greg Knaddison from Drupal Scout will be giving a training about how to secure your Drupal site.

The full day course is 450ドル.

It is broken apart into several sections:

  • Introduction to philosophy of development with a security focus
  • Overview of most common vulnerabilities
  • Specific review of Drupal's most common problems
    • Cross Site Scripting (XSS)
    • Spam/automation
    • Cross Site Request Forgeries CSRF
Read more

Master - Slave Solution

Posted by ay4you on June 8, 2011 at 7:30am

Hi,
Please bear with me if i am creating this question in the wrong place i am new to Drupal groups.
I manage an enterprise solution for 4 drupal sites very high transactional and with high traffic.
i use pressflow on 6 web servers with memcached and a master slave replication, they seem to be fine but i want to reduce the load on the master so i want to make 2 slave part of the solution, since i am using pressflow with supports master-slave replication solution.

Read more

The way we do security vs. bug fix releases is confusing the crap out of people

Posted by webchick on May 30, 2011 at 4:45pm

On the thread about a predictable release cycle for core, a large sub-thread opened up about the fact that everyone, including Dries, hates the way we do security vs. bug fix releases. It's confusing and unclear.

The current policy, explained

I couldn't actually find a handbook page explaining the current policy, so I made one. Here's a copy/paste of that here.

Read more

Flat files on front end server security issue

Posted by darrellduane on April 19, 2011 at 2:35pm

I am working on installing a Drupal site that allows users to store and display files (.doc, .pdf, .xls, etc) files at a high end secure data center with DMZs and the like. The customer's data center doesn't allow them to have web applications that store flat files on the front end web server machine.

Read more

Comodo Certificate Installation: Apache & mod_ssl | ComodoSSLstore.com

Posted by comodosslstore on April 19, 2011 at 9:49am
Last updated by comodosslstore on Tue, 2011年04月19日 09:49

Installing your Certificate on Apache with mod_ssl
1. Extract all of the contents of the ZIP file that was sent to you and copy/move them to your server. The extracted contents will typically be named: yourDomainName.crt and yourDomainName.ca-bundle

Note: If you received several .crt files in your ZIP file please use this article to make yourDomainName.ca-bundle
2. Move all of the certificate related files to their appropriate directories.

A typical setup:

Read more

New French laws on security/privacy - Personally Identifiable Information

Posted by greggles on April 7, 2011 at 4:30pm

Crossposted to security group and France group, my apologies for not being able to write this in French. Comments are welcome in French or English, of course.

There are some new French laws on user information and how it is handled which seem to have implications for security.

Hacker News has a thread about this that talks about the actual requirements which seem to be compatible with the way Drupal core works.

Read more

Drupal 6 file permissions on shared host

Posted by onslow77 on March 29, 2011 at 4:05pm

Hello!

I have installed the module "security review" and it notify me that I have the wrong file permissions.
I have not done any configuration to the file permissions since I recently installed drupal.

My settings
Folder 755 (except for sites/default folder that has 555)
Files 644 (except for settings.php that has 444)

The security review module tells me that everything under sites, modules and themes have the wrong file permissions. (basically the whole drupal installation)

Read more

Secure Drupal and Drupal 7

Posted by LittleLion on March 20, 2011 at 6:15am

I am implementing a site that will contain some information that should be secure. I looked up various posts and modules about security and it seems that by default all passwords are sent in clear text across the Internet in D6.

I found little to no information on securing D7 logins or pages.

Is there a simple solution to force the site into https?

Thanks for any advice,

Matt

Read more

Drupal Sites with PHI

Posted by acstyxx on March 14, 2011 at 5:20pm

I am trying to build a new Patient Portal site for exposing Personal Health Record information to meet Meaningful Use measures of timely access for out EHR. I am planning to expose that PHI through a web service from our EHR and build a custom module in Drupal to make that data accessible through the portal.

I am looking for examples of sites in production or development that expose Protected Health Information through Drupal.

Read more
3 comments Categories: , , ,

Security updates and profiles/distributions (especially those hosted outside of d.o)

Posted by greggles on February 18, 2011 at 6:21pm

What tools or processes should we follow for profiles that are hosted off drupal.org when they need to be updated for security reasons.

Currently, all of the modules they use that are hosted on drupal.org will get proper security updates but this could be confusing to the end user (if the profile itself hasn't been upgraded to that module).

What about modules that are hosted elsewhere?

What if the download file is only available from other sites and not packaged on drupal.org?

Read more

Security session, training, BOF at Drupalcon Chicago

Posted by greggles on January 18, 2011 at 8:07pm

First, if you haven't already you should sign up for Drupalcon Chicago.

This year we've got a relatively small number of sessions at Drupalcon Chicago about security.

  • Drupal Security for Coders - this is a presentation on the most common attack scenarios and how to code/configure to protect against them
Read more
2 comments Categories: ,

Securely managing a large number of drupal sites

Posted by proindustries on December 16, 2010 at 2:21am

Hey guys - So, keeping track of what updates are needed on a Drupal site isn't too bad, but what about if you're running 50 sites? I've looked around a few times over the last few months, but I've never found any good discussion on this topic.

I'm building out a new secure Drupal hosting service, and while I'll be able to manage this for the first few months by hand, presuming things go well, it will quickly become more work than I'd like to do, just keeping inventory of the sites, figuring which sites have security patches, etc.

Read more

Redundant database security

Posted by charles belov on November 16, 2010 at 8:25pm

This is a cross-post and slight edit of a portion of a post I made in the Usability group concerning my reactions as a Drupal pre-install newbie over the course of the recent Bay Area Drupal camp (BADCamp). This does not concern any specific Drupal vulnerability as I don't know of any vulnerability or even if what follows is accurate. It is just a result of seeing various published Drupal security reports and putting that together which what I saw at BADCamp plus some thoughts of my own. I have not looked at Drupal source code.

Read more
Categories:
Subscribe with RSS Syndicate content

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /