Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

datarazor's picture

Fake users still appearing even after captcha and patching

Hi there,

Wondering what else I should check on my site.

D6 site, all latest security patches. Have captcha module enabled.

Cleaned out the site of dummy users but I am still getting them to appear on the site. Along with fake comments.

Both user registration and posting comments requires a captcha image verification, but somehow they are still appearing.

What other security methods should I be looking at, or other forms of vulnerabilities that I need to check, to see why they are still being made?

Read more
markie's picture

Mp3Player Module resurrection.

I am trying to get the mp3 player module back from the dead. I've been working with @greggles to address some issues and he recommended I post here to get a module review so I can a) gain maintainer status and b) bring the module back to life. To address the security concerns I have done a few things

1) I have moved the external swf to the libraries folder so it's not part of the module and can be updated outside of the module.
2) Filtered the themed output so adding malicious scripts in the input fail
3) Filtered form input for further protection.

Read more
Chris Charlton's picture

Which version of PHP are you running Drupal on today? (Summer 2013)

PHP 5.5
5% (1 vote)
PHP 5.4
21% (4 votes)
PHP 5.3
68% (13 votes)
PHP 5.2
0% (0 votes)
Older or different versions of PHP
5% (1 vote)
Total votes: 19
RKopacz's picture

Strange message on update script, possible hack

Forgive if this is the wrong place to ask this question, but I am trying to determine what is wrong with a site I maintain.

When attempting to run an update script, I got this message:

Read more
christefano's picture

Long Term Support (LTS) BoF at DrupalCon Portland

2013-05-22 12:00 - 14:00 America/Los_Angeles
Event type: 
User group meeting

Exaltation of Larks is hosting a BoF (birds of a feather) discussion on long-term Drupal support (particularly for Drupal 6 sites when Drupal 8 comes out and bug fixes and security releases for Drupal 6 are discontinued).

Long Term Support is a topic that is near and dear to us and a number of our clients and this BoF is a followup to our earlier post, Drupal 6 End of Life When Drupal 8 is Released… Or Not.

We're also preparing an "LTS" version of Drupal 6 and have a lot more planned. Stay tuned to the DrupalCon BoF schedule and @LarksLA on Twitter for news of when this BoF gets scheduled.

Read more
scor's picture

Collaboration between Symfony security team and Drupal security team

This topic has come up in the past at some events, within the security team and on Symfony project founder Fabien Potencier posted a proposal for dealing with downstream projects (such as Drupal) at

This agreement will have an impact on how efficiently and how quickly the Drupal security team can work with the Symfony security team to coordinate security releases in a timely manner. Let's discuss this on github so Symfony and the other projects can be kept in the loop.

Read more
Orkut Murat Yılmaz's picture

What should we do with Linux/Cdorked.A malware?

I've seen this post today:

It looks like something went terrible.

What should we do with our servers and Drupal installations?

Read more
davidneedham's picture

Drupal Security Expert | Churches & Ministries

Employment type: 

We're a small non-profit that serves churches & ministries with Drupal and mobile app development, training, and support. We're looking for a freelancer who has experience evaluating and mitigating security concerns on a variety of servers hosting Drupal websites for numerous churches & ministries. The expectation is that there would be regular hours every month on a project-by-project basis.

Must haves:

  • Intimately familiar with evaluating common Drupal and LAMP stack security issues.
Read more
coltrane's picture

DrupalCon Security Training - Web security risks, discovery and remediation

2013-05-20 09:00 - 17:00 America/Los_Angeles
Event type: 
Training (free or commercial)

As part of DrupalCon Portland, join Ben Jeavons, Cash Williams and David Stoline from Acquia for a full-day, hands-on training about all things Drupal and security.

What you will learn



  • How to discover vulnerabilities and exploits
  • Identifying and averting specific vulnerabilities like Cross Site Scripting, Cross Site Request Forgery, SQL injection, access bypass and more from the OWASP Top 10 list
  • Leverage Drupal’s API as it relates to security: menu system, permissions, safe handling of user input and the form API, database API
  • Read more
    cashwilliams's picture

    Mitigating a brute force attack

    A number of WordPress sites are currently suffering from a brute force attack, which appears to be driven by a botnet. The attack tries to brute force the username "admin" by trying different passwords from different IP addresses. This renders IP blacklisting ineffective.

    Drupal 7 has a feature known as flood control. The user module uses flood control to monitor login attempts, and will block both an IP address and the account after a number of failed login attempts.

    Read more
    escoles's picture

    "high" vulnerability from N-Stalker: 'Possible vulnerable package Drupal has been found'

    My company hosts & operates a Drupal 6 instance that's used to host landing pages for a state government authority, and as such it's required to undergo periodic security scans.

    Read more

    Wiki of statistics/metrics about the Drupal Security Team

    Previously some metrics have trickled out as presentations at camps/cons or as blog posts or forum posts on This page is meant to be a dumping ground for those so people can know a little more what's going on.

    Issues created on over time

    This chart doesn't capture the ~6 month period before existed. It does show some interesting changes in flow over time. Note that not all issues are valid - many are closed as "cannot reproduce" or "can be public" due to some policy reason.

    Read more
    christefano's picture

    Drupal 6 end of life when Drupal 8 is released… or not?

    At the Boston Drupal meetup that was at Acquia this month, several presentations were focused on "what's new in Drupal 8" from the view of several people who now work at Acquia. I loved it. There were other presentations, as well (including one of my own!), and I really enjoyed seeing the Boston Drupal group again after many months.

    During the questions and answers part of the meetup, I asked Dries if he was considering naming a security maintainer for Drupal 6 when Drupal 8 is released. (In case you didn't know, support for Drupal 6 will be discontinued by the Drupal core and security teams. See the handbook page on backwards compatibility at for more, including Dries' original statement on the subject in 2006.)

    Read more
    greggles's picture

    Should we provide details for how to exploit issues?

    Several hosting companies and WAF (web applicaiton firewall)/IDS (Intrusion Detection System) vendors have asked the security team to provide more details around how to exploit the security vulnerabilities published as advisories. Some of these vendors have agreed to an NDA or other form of quiet period. Our response to the first of these requests is the basis for this post.

    The Security Team's basic response is "probably not" but we are open to some variants on this idea. I'm posting this here to see what others think, so please post your perspective below on how to handle it.

    Read more's picture

    Potential DOS/DDOS vulnerability via core caching system

    So, the fundamental problem: For a site using standard caching (in the database), it's very easy to cause the cache system to write huge numbers of cache entries, being duplicates of cached pages or other cache objects, so rapidly filling disk space. As far as I know there is no protection available against such an attack, other than table size limits in mysql (which is hardly an ideal solution).

    Read more
    podarok's picture

    Drupal long-term advanced training program - stage 1

    2013-09-06 (All day) - 2013-09-07 (All day) Europe/Kiev
    Event type: 
    Training (free or commercial)

    9 sessions - one (2-3 days) per month

    Course program



  • Introuduction session (group still opened) (2 days)
  • (group still opened) (2-3 days)
  • Drupal Code of Conduct, Code Style, Core gates + module creation (this and others groups closed) (2-3 days)
  • Core (Release) + module creation (2-3 days)
  • Theming(release) + module creation (2-3 days)
  • Drupal Core (HEAD) + VCS (git..) + code review + core patches + increase learning curve (2-3 days)
  • Contrib + Server + Security (2-3 days)
  • Read more
    dokumori's picture

    Randomness attacks against PHP applications

    In this paper it is reported many PHP applications make false assumption about the true randomeness of the core PHP random funcions and it might lead to attacks, for example using the password reset features. Drupal may also be affected by this e.g. 6 session cookie generation.

    If anyone researches this and find Drupal to be actually vulnerable, please report to the security team.

    Read more
    klausi's picture

    Do NOT sanitize outgoing email content

    Problem: I could not find any documentation about whether Drupal developers should sanitize email bodies and subjects to prevent XSS when the mail is read on a mail client.

    I ran into this problem a couple of times, but never found the time to fully explore it. From my understanding it is the responsibility of the displaying email client to make sure that no evil JavaScript is executed in HTML mails. Which means that Drupal should not run filter_xss(), check_plain() and friends before passing data to the message transfer agent.

    Read more
    RKopacz's picture

    How to explain security updates to site owners

    I have a number of smaller clients on Drupal. Since Drupal gets updated more frequently than Wordpress, and since (for 7 anyway; maybe 8 will be different) someone with a certain skill level with Drupal and FTP has to still do core updates, it is an extra running cost that Wordpress, for all intents and purposes, does not have (all updates can be done via the GUI and by the site owner).

    Read more
    Subscribe with RSS Syndicate content