security

So - has anyone else had a chance to look at the Adobe Flash vulnerability?

http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_site...

It would appear that there is no easy way to handle it short of their suggestion to serve back all user-supplied content from a different domain. I can't see any logical way to accomplish that via Drupal considering the wide range of site sizes and complexities.

A client wanted to send over some confidential information and was wondering how to password-protect a zip file. Incredibly, I couldn't find any graphical zip archive utilities for OS X that encrypt files, work in Snow Leopard and are free. 7zX claims to do this but it has some scary user-submitted reviews. Zippist looks promising but it doesn't seem to work in Snow Leopard. I actually use Path Finder or the command line for this, but it's unreasonable to ask most clients to do the same.

A zero-day flaw in the TLS and SSL protocols has been made public and man-in-the-middle attacks have been demonstrated. I caught wind of this off of ZDnet.

http://news.zdnet.co.uk/security/0,1000000189,39860592,00.htm

Thoughts?

I have to admit, Im overwhelmed about the amount of Drupal modules created that deal with security. It seems many are for keeping specific module types from doing insecure things or providing holes in security. So, what about a basic install with Views, CCK, Pathauto, Forums, Blogs, and little else. What are the most useful security modules out there?

-overwhelmed by modules
Mary

It took some time, but finally the 6.x-1.0 version of Login Security module is out. For a brief introduction to the module features please go to the module documentation. The README file included in the module explains the different options for the module settings and a configuration example.

Hope you enjoy the module!

I'm happy to announce that Login Security module release 6.x-1.0 is about to born. Currently, there is only one issue open. This issue takes care about string consolidation and english grammar. I'm not an english natural speaker, so probably there will be some words and corrections to be done. I would appreciate any help in this issue.

There is a new feature included for this 1.0 release: ongoing bruteforce attack detection that could easily be expanded for more paranoid settings.. probably in the 2.0 :)

You can check current roadmap status and (I hope) participate in the english correction.

Be wary of what folks can upload into the "files" directories on your Drupal site. They may be able to upload a PHP file, then try to access that PHP file in their web browser, thus being able to execute arbitrary code. This is dangerous!

I believe Drupal's .htaccess files block this sort of thing for Apache users, but what about us Lighty users? Fortunately, it's not too tough to stop this from happening; just add something like this to Lighty's config file:

Hi Everyone:

So I know of some well-known organizations and companies who are using Drupal for their community child sites and/or primary sites. However, I am just curious to know of some particular enterprise sites that are 1) using Drupal and 2) may have a user population anywhere from 500 - 10,000+. I'm trying to compile a list to show that Drupal can be used to archive information secure for a large online and active audience.

Thanks.

There are several modules which allow for user/admin generated css to be injected into the page.

CSS can contain cross site scripting attacks and the use of url() helps make it a means to exploit CSRF. What can we do to filter user generated CSS so that it is safe?

One strategy seems to be something like the way color module/garland work: users are limited to choosing specific colors which are inserted into specific pieces of the CSS. This is also what a lot of other sites do (twitter, bebo, etc.). That's great, but limiting.