Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
The group is not called "Security" because that would just be too inviting for people to report security issues here and here is not the right place.
On twitter see @drupalsecurity.
Dealing with Denial of Service
There's a Drupalcon munich proposal about DOS but I thought maybe we could discuss it here as well in advance (or in case it's not accepted).
What kinds of attacks are people saying? Drupal specific, generic?
What tools do you use to defend against the attacks? What seem most effective? Any tools that you use regardless of budget or even if the budget is small?
security docs update
There's a comment on the impersonating a user safely documentation page that says it needs to be updated. I'll admit I haven't tried this out and am unsure. Can anyone say whether this is the right way to do it?
It's probably worth doing a general review of all the security docs pages on a regular basis.
Some top level pages that people can review:
* Writing secure code
* Secure Configuration
We should review those top level pages and the sub-pages.
Response to Drupal 7.14 <= Full Path Disclosure Vulnerability
There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"
As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)
Please help improve that page to provide any additional, useful guidance.
Site hacked
Hello, I have a 4.7.11 site that is suddenly displays rotating ads below the footer: http://projectharambee.org/
I didn't find anything changed in index.php in the root and page.tpl.php in the bluemarine theme folder.
The code for the ad does NOT show up in the source code of the page output. I don't understand how that is possible.
Would you please suggest what else to check and how to prevent this from happening in the future?
Read moreDisable execution of PHP in the files/ directory
SA 2006-006 makes it impossible to execute php inside the Drupal files directory on Apache servers. This is a defense in depth mechanism along with things like file_munge_filename and file extension limits in php.
Windows doesn't benefit from that change since the change was in .htaccess.
Is there a way to prevent IIS from executing files inside a specific directory? Is there some way we can bundle that up and ship it with Drupal like the web.config?
Charging clients for when Drupal security updates cause incompatibility issues
(please note that I write this article as a business owner, not an experienced Drupal dev!)
Our company charges an annual fee for identifying and applying security updates/patches for the Drupal sites we've designed, built, host and maintain.
Read moreSecurity update notification based on permission needed to exploit vulnerability
I manage numerous Drupal sites, and have run into a kink in my procedure that I'd imagine many others share. Many people have their sites notify them whenever a security update applies to them, and promptly install that security update. Generally that's a good practice, and leads to relatively stable and secure sites.
Read moreBest Practices for determining if a drupal theme is secure?
I am a little new to drupal, but one common task for many people is to get theme(s) for their drupal sites. I understand just enough to know a drupal theme could perhaps have a security flaw e.g. xss if check_plain, check_markup, filter_xss not used properly?? However, I like many other newbies do not have enough knowledge to properly test this.
Read moreSecurity bugs: Bounties vs. Blackmarket
I just read this article on forbes: shopping for zero days which points out that bounties for bug reports are less valuable when the black market is willing to pay much more money for the issue.
Of course I hope that people will always report security issues to security@drupal.org and work with that process to fix issues it's an interesting read, nonetheless.
Response about SA-CONTRIB-2012-036
Hi everybody!
I just want to make you aware of discussion going on about recently SA-CONTRIB-2012-036 @ http://drupal.org/node/711000#comment-5734594
It would be great if you could provide your point of view, if you find that is necessary.
Please don't take this as disrespect or judging your work - I just don't see appropriate to create picture about Drupal security team as Drupal overlords. :/
Thx.
Detailed response to publicly posted CSRF concerns in Drupal 7.12
Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.
Summary
The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.
Read moreSnowfroc Security Conference 2012 near Drupalcon Denver
At the same time as Drupalcon Denver there will be an event about 15 minutes walk away called SnowFROC which is the Front Range OWASP Conference. OWASP being the Open Web and Application Security Project.
Historically this event has been pretty huge drawing in famous speakers delivering presentations they go on to deliver again at Defcon or Blackhat.
They are currently looking for submissions of papers. Registration is also open.
Read more
Tiny-IDS - a tiny intrusion detection system
http://drupal.org/project/tinyids
After several conceptual changes, I finally created a first dev release.
It's still under development but I would really appreciate deep code and functionality reviews on the current state.
Feel free to express your opinion and discuss about the general implementation in the issue queue.
regards.
Proposal to remove file signing from the configuration system
I recently posted the following issue to remove file signing from the Drupal 8 configuration system
http://drupal.org/node/1444620
I would love for some feedback from the security-savvy members of this group as to whether this is a viable option.
Thanks!
Videos and some slides from appsecusa online
The slides and videos from Appsec USA are now online: http://www.appsecusa.org/schedule.html#slides_video
Lots of them seem interesting. I'm currently watching the one on bounties (pdf and video).
Any others that seem interesting to you?
Acquia's Drupal Security Training at Drupalcon Denver - March 19
First, if you haven't signed up for Drupalcon definitely consider doing so.
If you will be there, consider signing up for the full day class Security: Process, Code & Hands-on Training.
This is an updated version of previous trainings and will be co-presented with Erik Webb.
Signups are rolling in and space is limited. Plus, if you sign up by February 21 the price is $50 lower than normal.
Separating administrator content from user content
Hello,
My name is Manu Cuche. I am currently in my third (and last) year of computer science at Lessius Mechelen College. I have recently started working on my final project. For this project I have chosen the subject of security in Drupal, more specifically about separating administrator content from user content. I understand that this is a known issue in Drupal, and my first goal is to properly understand and define this issue. To do this I would like to ask for your help.
Read moreDrupal Association should play fair game for hosting companies, wishing to get listed on http://drupal.org/hosting
Dear All,
Current practice is that Drupal Association requires from new applicant hosting companies, which wish to get listed on http://drupal.org/hosting, to pass security test of Security Review module. And it is difficult to pass the test without applying additional layer of complexity to certain setups. This practice represents unfair barrier for hosting companies, which want to provide Drupal-specific hosting services and which can not practically pass the test, therefore should be reviewed or cancelled.
Read moreShould modules be marked "abandoned" if their releases are unpublished
When a module maintainer is not communicating/fixing a security issue in a timely manner the security team needs to communicate about the problem in the module to site owners.
- We send an SA which gets picked up by rss readers and e-mail subscribers and twitter
- We unpublish the module releases so that the update.module will notify site owners that support for a module in use on their site has been revoked, this then notifies them to visit the project page for more information so...
Best practices for deprecating old module/adding new release
I'm wondering what is the best practice for creating new releases of modules and deprecating the old version, in terms of maintaining security while the new version proceeds to release status. I'm asking this as a Drupal newbie.
Read more