Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Recommended TOTP clients for TFA deployment on

There's an issue to deploy TFA on There will be a lot of questions about how people can generate TOTP codes. Let's write up a book page to help them. Please edit this wiki page to help turn it into a resource (e.g. a book page on d.o or help text inside the module).

There are multiple free and Free options for creating TOTP codes on a smartphone or computer such as:

Phone-based solutions:

Read more
mpdonadio's picture

New module for developers to test for XSS vulnerabilities

I just pushed an initial commit for a module that can help module developers and site owners test for XSS vulnerabilities:

The module does a form alter to add two buttons to forms. The buttons will prefill inputs and textareas with simple XSS, <script>alert('XSS')</script>, for testing purposes. The actual alert message will contain the $form_id and the element name in the message.

Read more
greggles's picture

New module to help researchers identify valid sql injection vulnerabilities

For anyone who runs a "responsible disclosure" program, you are probably used to getting reports of SQL injection that are not valid. SQL Injection can be tough for an independent researcher to validate because demonstrating it either requires a lot of time (to fingerprint the structure and get some secret) or a damaging interaction (dropping some tables?) or both.

Read more
mpdonadio's picture

When is setting 'access callback' == TRUE in a hook_menu() item OK?

hook_menu has an item argument for 'access callback' which allows people to define permissions on a router path. Normally, paths have some sort of check on them, usually user_access + a permission, but sometimes a check specific to the path (cf, the node paths).

The API also allows "naked" menu items that don't have any access check. This is done by setting the 'access callback' key to TRUE. Mistakes with this can lead to access bypass problems.

I have seen it in two instances in the wild, but I am sure there are others.

Read more
andyg8's picture

Are all Drupal 7.2x sites NON PCI compliant because of CVE-2011-2687, the node access bypass threat ?

Hi team,

Sorry if this is in the wrong place, but extensive Googling couldn't find an answer.

We've just had a PCI compliance scan done by Trustwave, which says we need to fix CVE-2011-2687,
node-access-bypass insecurity, which was fixed in Drupal 7.3. See:

But the last release of Drupal 7.3 was in 2011!

And home page says that 7.28 is the current release.

So does this mean every Drupal site in the world running the 7.2x branch
including 7.28 is not PCI compliant?

Read more
datarazor's picture

What to do when honeypot is working overtime?

Hi folks, so I have a site with honeypot installed and it is doing a great job of blocking spam. Problem is though the site is doing a lot of work to block these malicious bots and it would be nice to ban them. Blocking their IP is useless since they come from all over the place, is there anything that could be done to try and get the site less inundated with spending clicks processing fake users all the time?



Read more
Sandip Choudhury's picture

Extracting username and password of User 1

For example - I have built a website and given the drupal files and database to someone, to host in the server. But I am not willing to give username and password of User one. So, is it possible to hack the drupal code and database to extract the username and password of user 1?

Or, I have forgot the username and password of user 1 after creation of the website. So, is it possible to get the details of user 1?

If possible, how?

Read more
greggles's picture

Extending support for Drupal 6?

As many of you are likely aware, there's discussion at on the idea of extending the life of Drupal 6.

Dries would like a "decision" from the security team's perspective and I thought it would be good to ask folks who are outside of the team, but still interested in the topic of Security.

Read more
greggles's picture

Two-factor authentication in Drupal and on


Many of you are probably interested in multi-factor authenticaiton solutions for your own site or for

There's been a comparison of modules available for a while, but I think now that the combination of tfa and tfa_basic makes a really compelling combination.

There's also an issue about deploying two-factor auth on

Read more
zenbens's picture

Project Contract | Zenith Benefits

Employment type: 

I have attached a document provided by a third party supplier to our employee benefit business. What we provide is an employee benefit information site where employees can log in and access information about their benefits, all of which is tailored to them through assigned roles and a document storage system provided by the file depot module.

What we’d like is for the employee to click a link on the drupal site which will automatically create an account (or log them in if they’ve clicked previously) on the third party site.

Read more
mlhess's picture

Take the security team tools survey

Hi everyone,

The Drupal Security Team is updating its security issue reporting tools to Drupal 7. We also need your help to improve our reporting workflow and make it easy to report and track security issues.

Please take our survey: Please help us out by taking our survey. .

This survey should take between 5 and 10 minutes to complete. It is on 2 pages.

Read more
Joe.U.Questionmark's picture

Interested in analysing past security vulnerabilities by type

I have read the Drupal security white paper v1.2 which contains some insightful analysis of historical security vulnerabilities by type over the last 6 years.

I would be interesting in generating my own analysis of Drupal security vulnerabilities by type over the last 12 months.

Can someone point me at a good source of data in a format that is reasonable easy to analyse?

Thanks for your help!

Read more
tinem's picture

Put "Site off-line" would this be safe for getting hacked?

All my domains were earlier hacked which I describe in this post

I have now uploaded one OLD site but without hacked files and need to update this but not just now - maybe a stupid question but taken the site off-line will it then be impossible for hackers to attack this site because they can't see it's and old version and other info which hackers go for?

Edited 10:25: And is it also safe to use Devel module online when the site is put off-line?

Read more
WillowDigit's picture

node/add - what's the deal?

Hi to all,

I have a site that is constantly being probed with node/add (request denied). Registration requires email verification and includes a CAPTCHA. These node/add requests come from both registered and unregistered users. There are at least 20 new registrations a day (I keep blocking their IP addresses) and just as many or more probes. It's been going on for a month now. Can anyone explain to me the logic and intentions behind this?


Read more
Shai's picture

Explaining to Client Vulnerability of a Form Not Protected by https/SSL

Hi Folks,

I want to accurately describe to a client the vulnerability of a form collecting data over http.

I understand that over unprotected wifi a person could "listen" and grab data passing from someone submitting info to the form.

What I don't know is how hard it is for someone to "sit" on a particular form and collect data being submitted to the form from people who do share a network connection with the person trying to steal the information.



Read more
Drupal Security Team's picture

Response to CVE-2014-1607: a purported XSS vulnerability in Event Calendar

CVE-2014-1607 Claims to be a vulnerability in Drupal 7.14 and probably newer versions.

We were unable to reproduce the issue on a fresh Drupal 7.x-dev installation with Event Calendar 7.x-1.4, the latest release.

Read more
johnjones4's picture

Hosted WAF Solutions Specific to Drupal

Are there any hosted WAF (Web Application Firewall) solutions available that work best with Drupal? The site we have in mind for use in this scenario is a simple content-driven site.

Read more
pcave's picture

QSA company recommendations to provide PCI compliance auditing services


I'm looking to see if anyone has any recommendations for qualified security assessor companies to perform a PCI audit for a hosting infrastructure and Drupal application. The PCI security council lists 321 such companies so I'd like to narrow it down to a few that folks have had a good experience with so I can get some quotes.

Thanks in advance.


Read more
perusio's picture

Drupal SA on uncontrolled PHP execution

There's the Drupal core security advisory just released that talks about the uncontrolled PHP execution. here's some remarks.

  1. If you're using the config available on the Nginx wiki you're vulnerable.

    That config has a catch all location location ~ \.php$ {...} for handling
    PHP script execution.

  2. If you're using any of the configs recommended on the [Nginx group] ( you're safe.

Read more
mgifford's picture

Building a Collaborative Best Practice Security Document

We recently wrote a security best practices document for a government client. We wanted to distribute this more widely because security is a complex issue, that so many organizations seem to get wrong. In government this is often because they are working in isolation and haven't been able to keep up with the rapid changes in IT security.

Read more
Subscribe with RSS Syndicate content