Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

gwhiz's picture

SFTP for update manager uploading of themes in Drupal 7

We are trying to understand how to use the Drupal7 update manager UI to install themes using the Appearance tab->install new theme box interface.

What is the flow of operation / modules when a URL is pasted into the admin UM UI dialogue?

Read more
Crell's picture

Writing code to disk securely

Greg asked me to post this here as a notice. There's a discussion in the Core issue queue about ways to write generated code to disk in a secure fashion. I won't reiterate everything from that thread, other than we think we've found a solution but it needs vetting from the security team. Any input there would be welcome. Thanks.

Read more

Drupal modules for Two-Factor-Authentication

Two factor authentication is becoming more popular as more and more sites get hacked based on password alone.

  • Two Factor Auth - A framework to support a variety of methods as the second factor. The TFA Basic modules provides support for TOTP, recovery codes and SMS via Twilio. These modules are used on to provide two factor authentication.
  • GA Login uses the Google Authenticator software and smartphone app
Read more
udaksh's picture


Hello all ,

I am doing GSoC project on enhancing secure code review that is an automated tool to locate vulnerabilities in the code .

You can find my project page on this link :-Security Review and GSoC Project proposal here :- Proposal on Melange

I have an approach that can help in locating xss vulnerabilities .Please provide me your feedback,suggestions and your opinions about this approach.

Read more
greggles's picture

Dealing with Denial of Service

There's a Drupalcon munich proposal about DOS but I thought maybe we could discuss it here as well in advance (or in case it's not accepted).

What kinds of attacks are people saying? Drupal specific, generic?

What tools do you use to defend against the attacks? What seem most effective? Any tools that you use regardless of budget or even if the budget is small?

Read more
greggles's picture

security docs update

There's a comment on the impersonating a user safely documentation page that says it needs to be updated. I'll admit I haven't tried this out and am unsure. Can anyone say whether this is the right way to do it?

It's probably worth doing a general review of all the security docs pages on a regular basis.

Some top level pages that people can review:
* Writing secure code
* Secure Configuration

We should review those top level pages and the sub-pages.

Read more
greggles's picture

Response to Drupal 7.14 <= Full Path Disclosure Vulnerability

There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"

As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Please help improve that page to provide any additional, useful guidance.

Edit: For search engines: This has now been assigned CVE-2012-2922.

Read more
Ali.T's picture

Site hacked

Hello, I have a 4.7.11 site that is suddenly displays rotating ads below the footer:

I didn't find anything changed in index.php in the root and page.tpl.php in the bluemarine theme folder.

The code for the ad does NOT show up in the source code of the page output. I don't understand how that is possible.

Would you please suggest what else to check and how to prevent this from happening in the future?

Read more
greggles's picture

Disable execution of PHP in the files/ directory

SA 2006-006 makes it impossible to execute php inside the Drupal files directory on Apache servers. This is a defense in depth mechanism along with things like file_munge_filename and file extension limits in php.

Windows doesn't benefit from that change since the change was in .htaccess.

Is there a way to prevent IIS from executing files inside a specific directory? Is there some way we can bundle that up and ship it with Drupal like the web.config?

Read more
itomic's picture

Charging clients for when Drupal security updates cause incompatibility issues

(please note that I write this article as a business owner, not an experienced Drupal dev!)

Our company charges an annual fee for identifying and applying security updates/patches for the Drupal sites we've designed, built, host and maintain.

Read more
ezra's picture

Security update notification based on permission needed to exploit vulnerability

I manage numerous Drupal sites, and have run into a kink in my procedure that I'd imagine many others share. Many people have their sites notify them whenever a security update applies to them, and promptly install that security update. Generally that's a good practice, and leads to relatively stable and secure sites.

Read more
newbie7001's picture

Best Practices for determining if a drupal theme is secure?

I am a little new to drupal, but one common task for many people is to get theme(s) for their drupal sites. I understand just enough to know a drupal theme could perhaps have a security flaw e.g. xss if check_plain, check_markup, filter_xss not used properly?? However, I like many other newbies do not have enough knowledge to properly test this.

Read more
greggles's picture

Security bugs: Bounties vs. Blackmarket

I just read this article on forbes: shopping for zero days which points out that bounties for bug reports are less valuable when the black market is willing to pay much more money for the issue.

Of course I hope that people will always report security issues to and work with that process to fix issues it's an interesting read, nonetheless.

Read more
mariomaric's picture

Response about SA-CONTRIB-2012-036

Hi everybody!

I just want to make you aware of discussion going on about recently SA-CONTRIB-2012-036 @

It would be great if you could provide your point of view, if you find that is necessary.

Please don't take this as disrespect or judging your work - I just don't see appropriate to create picture about Drupal security team as Drupal overlords. :/


Read more
greggles's picture

Detailed response to publicly posted CSRF concerns in Drupal 7.12

Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.


The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.

Read more
greggles's picture

Snowfroc Security Conference 2012 near Drupalcon Denver

2012-03-22 07:30 - 16:00 America/Denver
Event type: 
Related event (ie. not Drupal specific)

At the same time as Drupalcon Denver there will be an event about 15 minutes walk away called SnowFROC which is the Front Range OWASP Conference. OWASP being the Open Web and Application Security Project.

Historically this event has been pretty huge drawing in famous speakers delivering presentations they go on to deliver again at Defcon or Blackhat.

They are currently looking for submissions of papers. Registration is also open.

Read more
patrickd's picture

Tiny-IDS - a tiny intrusion detection system

After several conceptual changes, I finally created a first dev release.

It's still under development but I would really appreciate deep code and functionality reviews on the current state.
Feel free to express your opinion and discuss about the general implementation in the issue queue.


Read more
gdd's picture

Proposal to remove file signing from the configuration system

I recently posted the following issue to remove file signing from the Drupal 8 configuration system

I would love for some feedback from the security-savvy members of this group as to whether this is a viable option.


Read more
greggles's picture

Videos and some slides from appsecusa online

The slides and videos from Appsec USA are now online:

Lots of them seem interesting. I'm currently watching the one on bounties (pdf and video).

Any others that seem interesting to you?

Read more
greggles's picture

Acquia's Drupal Security Training at Drupalcon Denver - March 19

2012-03-19 09:00 - 16:30 America/Denver
Event type: 
Training (free or commercial)

First, if you haven't signed up for Drupalcon definitely consider doing so.

If you will be there, consider signing up for the full day class Security: Process, Code & Hands-on Training.

This is an updated version of previous trainings and will be co-presented with Erik Webb.

Signups are rolling in and space is limited. Plus, if you sign up by February 21 the price is $50 lower than normal.

Read more
Subscribe with RSS Syndicate content