Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Vulnerabilities and tools
This wiki page is build to coordinate the research of vulnerabilities and to provide a little explain of anyone of these.
The vulnerabilities reported here are the most common vulnerabilities found into web applications (source: OWASP top ten 2007).
After any of this vulnerabilities we should add a little description of what it is and a list of tools/ways-to-find-that.
Feel free to add something or mark that something was already been tested.
Cross Site Scripting
Injection Flows
Malicious file execution
Read moreSecurity, this unknown
Hey all,
I have some questions about how security vulnerabilities are researched inside the classic Drupal development plan and about where are we and where are we going, about security obviously. That's because I noticed that if someone wanna help testing Drupal for security vulnerabilities, he founds a very low number of informations, that means:
- no idea about what's already tested
- no idea about what could be useful to do
Some things obviously needs to be secret, but this level of secrecy is maybe too much.
Read moreSecurity Audit or 3rd party Review
I'm doing more and more work within the government and am running into a lot of MS IT Departments who really don't understand open source, Linux and really can't get their heads around Drupal.
I've been looking around for some reports or analysis for Drupal 6's security. There are lots of good howto's:
- http://justin.madirish.net/node/241
Nice to see Google's Radproxy as a nice evaluation tool (has anyone run that against Drupal core?):
- http://code.google.com/p/ratproxy/
New SA-CONTRIB-2009-XXX style security announcements
Yesterday was the first security release of 2009 and the first ever for the Drupal project that used the new naming convention: SA-CONTRIB-YYYY-NNN. The security team had a discussion late last year about the common confusion among outsiders to the project - mainly media reporters and evaluators of Drupal - that any SA announcement is from "Drupal." We often have security announcements about contributed modules that are only used on a couple dozen sites that are then interpreted to be problems in core.
Read more"safe" (or safer) autologin module
There's recently been some discussion about the autologin module and the "feature" it provides.
I'd like to examine ways to make it safer. So, we start with the stated use case:
Read moreNaming the required permissions - see SA-2008-069
You may have noticed in SA-2008-069 for CCK that it names specific permissions required to exploit the vulnerability. Often in the history of Drupal's security announcements we have simply stated that there was a weakness and that it was a certain level of "critical."
Starting with this release we are testing out the idea of also stating specifically what kind of permissions are required to take advantage of a bug.
Read moreXss from URL...
Hi all,
The scanner is tested to find XSS vulnerabilities inside a drupal installation. These could be found only searching into the forms of the website. There's no way right now to add an exploit as a parameter of the url of the page.
Something like
http://www.example.com/?q=<script>alert(xss);</script>
This is something I wanna add as new feature, but make it automatic is not so trivial.
Suggestions?
Crawler new use and crawler reorganization
Hi,
the security scanner is first of all a crawler. It could run into the pages of a drupal installation and perform multiple tasks.
The first use of it was about security, we used that to seed patterns inside a form and to find if these patterns were not checked by drupal filters. I developed it with this intent, but while developing I see that everyone could use it to run other tasks, simpy changing some lines of code. Other task could be search for other patterns (moderation?) or something other.