Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Long Term Support (LTS) BoF at DrupalCon Portland
Exaltation of Larks is hosting a BoF (birds of a feather) discussion on long-term Drupal support (particularly for Drupal 6 sites when Drupal 8 comes out and bug fixes and security releases for Drupal 6 are discontinued).
Long Term Support is a topic that is near and dear to us and a number of our clients and this BoF is a followup to our earlier post, Drupal 6 End of Life When Drupal 8 is Released… Or Not.
We're also preparing an "LTS" version of Drupal 6 and have a lot more planned. Stay tuned to the DrupalCon BoF schedule and @LarksLA on Twitter for news of when this BoF gets scheduled.
Read more
Collaboration between Symfony security team and Drupal security team
This topic has come up in the past at some events, within the security team and on drupal.org. Symfony project founder Fabien Potencier posted a proposal for dealing with downstream projects (such as Drupal) at
https://github.com/symfony/symfony-docs/pull/2639/files
This agreement will have an impact on how efficiently and how quickly the Drupal security team can work with the Symfony security team to coordinate security releases in a timely manner. Let's discuss this on github so Symfony and the other projects can be kept in the loop.
What should we do with Linux/Cdorked.A malware?
I've seen this post today:
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-a...
It looks like something went terrible.
What should we do with our servers and Drupal installations?
Drupal Security Expert | Churches & Ministries
We're a small non-profit that serves churches & ministries with Drupal and mobile app development, training, and support. We're looking for a freelancer who has experience evaluating and mitigating security concerns on a variety of servers hosting Drupal websites for numerous churches & ministries. The expectation is that there would be regular hours every month on a project-by-project basis.
Must haves:
- Intimately familiar with evaluating common Drupal and LAMP stack security issues.
DrupalCon Security Training - Web security risks, discovery and remediation
As part of DrupalCon Portland, join Ben Jeavons, Cash Williams and David Stoline from Acquia for a full-day, hands-on training about all things Drupal and security.
What you will learn
<
ul>
Mitigating a brute force attack
A number of WordPress sites are currently suffering from a brute force attack, which appears to be driven by a botnet. The attack tries to brute force the username "admin" by trying different passwords from different IP addresses. This renders IP blacklisting ineffective.
Drupal 7 has a feature known as flood control. The user module uses flood control to monitor login attempts, and will block both an IP address and the account after a number of failed login attempts.
Read more
"high" vulnerability from N-Stalker: 'Possible vulnerable package Drupal has been found'
My company hosts & operates a Drupal 6 instance that's used to host landing pages for a state government authority, and as such it's required to undergo periodic security scans.
Read moreWiki of statistics/metrics about the Drupal Security Team
Previously some metrics have trickled out as presentations at camps/cons or as blog posts or forum posts on drupal.org. This page is meant to be a dumping ground for those so people can know a little more what's going on.
Issues created on security.drupal.org over time
This chart doesn't capture the ~6 month period before security.drupal.org existed. It does show some interesting changes in flow over time. Note that not all issues are valid - many are closed as "cannot reproduce" or "can be public" due to some policy reason.
Read moreDrupal 6 end of life when Drupal 8 is released… or not?
At the Boston Drupal meetup that was at Acquia this month, several presentations were focused on "what's new in Drupal 8" from the view of several people who now work at Acquia. I loved it. There were other presentations, as well (including one of my own!), and I really enjoyed seeing the Boston Drupal group again after many months.
During the questions and answers part of the meetup, I asked Dries if he was considering naming a security maintainer for Drupal 6 when Drupal 8 is released. (In case you didn't know, support for Drupal 6 will be discontinued by the Drupal core and security teams. See the handbook page on backwards compatibility at https://drupal.org/node/65922 for more, including Dries' original statement on the subject in 2006.)
Read more
Should we provide details for how to exploit issues?
Several hosting companies and WAF (web applicaiton firewall)/IDS (Intrusion Detection System) vendors have asked the security team to provide more details around how to exploit the security vulnerabilities published as advisories. Some of these vendors have agreed to an NDA or other form of quiet period. Our response to the first of these requests is the basis for this post.
The Security Team's basic response is "probably not" but we are open to some variants on this idea. I'm posting this here to see what others think, so please post your perspective below on how to handle it.
Read more
Potential DOS/DDOS vulnerability via core caching system
So, the fundamental problem: For a site using standard caching (in the database), it's very easy to cause the cache system to write huge numbers of cache entries, being duplicates of cached pages or other cache objects, so rapidly filling disk space. As far as I know there is no protection available against such an attack, other than table size limits in mysql (which is hardly an ideal solution).
Read more
Drupal long-term advanced training program - stage 1
9 sessions - one (2-3 days) per month
Course program
<
ol>
Randomness attacks against PHP applications
In this paper it is reported many PHP applications make false assumption about the true randomeness of the core PHP random funcions and it might lead to attacks, for example using the password reset features. Drupal may also be affected by this e.g. 6 session cookie generation.
If anyone researches this and find Drupal to be actually vulnerable, please report to the security team.
Do NOT sanitize outgoing email content
Problem: I could not find any documentation about whether Drupal developers should sanitize email bodies and subjects to prevent XSS when the mail is read on a mail client.
I ran into this problem a couple of times, but never found the time to fully explore it. From my understanding it is the responsibility of the displaying email client to make sure that no evil JavaScript is executed in HTML mails. Which means that Drupal should not run filter_xss(), check_plain() and friends before passing data to the message transfer agent.
Read more
How to explain security updates to site owners
I have a number of smaller clients on Drupal. Since Drupal gets updated more frequently than Wordpress, and since (for 7 anyway; maybe 8 will be different) someone with a certain skill level with Drupal and FTP has to still do core updates, it is an extra running cost that Wordpress, for all intents and purposes, does not have (all updates can be done via the GUI and by the site owner).
Read more
Name of this Group
I think there is sort of a usability issue with the name of this group:
"Best Practices in Drupal Security."
I couldn't find this group in my list of groups in the right sidebar, even though I'm only a member of about 10 groups. I used my browser to search on "Security" to find it.
I've read that people scan the left side of lists.
How about renaming this group, "Security Best Practices." I think we could dump the "Drupal" part to make the name shorter. I think it is understood that at drupal.org the issues relate to Drupal.
What do you think?
Shai
Spam Emails IP Address Listed as the Site's IP Address in Watchdog
Hi Folks,
On a client site, spam comments are being posted. In Watchdog, the IP address of the spammer is: the site's dedicated IP address. How is that possible?
Also note that there is a ReCaptcha challenge on all the comment forms.
Can anyone explain how this could happen?
Thanks,
Shai Gluskin
allowing new password input on password reset landing page
Normally, in Drupal, when a user clicks on a password reset link that they requested from a Drupal site, they are taken to a landing page that has nothing but a "Log In" button that logs them in. The system then expects the user to update their password on their own.
But for infrequent or non-technical users, that last step often never happens. They fail to set their password, and then ask to reset password again the next time they need to access the site.
MY SOLUTION:
Read more
Encrypt RSS feeds
The discussion here
http://groups.drupal.org/node/9719 consists of a great idea to encrypt RSS feeds of private posts. But the discussion there has been dead and not updated for quite some time.
This says that "
Overview: With Encrypted RSS/Atom feeds, buddylist-like features become possible cross-site. The project would be to develop a module which generates and consumes syndicated feeds, where reading them in only possible behind a login.
Security review for Project browser server
Hi Drupal security people,
for over a year community member wildkatana has been working on Project browser - a module which will let users search for and install modules and themes from within their Drupal website. The goal is to have this functionality in Drupal 8 core and as a contributed module for Drupal 7. For this functionality to work another module - Project browser server - needs to be deployed on Drupal.org. The main blocker for this deployment now is missing security review.
Here is an issue: http://drupal.org/node/1243332
Read more
