Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Recommendation for Drupal 7 Books that cover security?
I looked at the two books suggested but they are for Drupal 6. Is there a good book that handles security for Drupal 7?
Read more
Drupal Development Best Practices Training in Downtown Los Angeles on November 16, 2012
Join us on November 16, 2012 in Downtown Los Angeles for Drupal Development Best Practices, a full day of Drupal training! This training is being produced by Exaltation of Larks, a Drupal strategy, development, consulting and training firm with a team of experts in Los Angeles.
| Sign up today at http://www.larks.la/training |
This one-day workshop gives you a comprehensive tutorial on the right way to manage your Drupal website. You'll learn about version control for your code and ways to manage changes in your data. You’ll also see how the Features module can enable you to keep your configuration changes in version control.
We'll cover industry-approved deployment strategies that let you move smoothly through development, testing and live environments. You’ll get a high-level overview of how to modify the way your site looks by sub-theming, preventing hours of frustration should your original theme be updated.
What you will learn:
- Using version control with Drupal
- Maintaining development, testing and production environments
- Managing configuration changes using the Features module
- Creating a basic sub-theme
- Creating a basic module
- Understanding Drupal’s API and the hook system
Enabling the overlay module for anonymous: Security risks
Hi,
I'm reviewing a sandbox project for Drupal7 called Overlay Links that encourage to enable the overlay module for anonymous users.
review comment: http://drupal.org/node/1811482#comment-6609236
I've read on some blog that doing this have security concerns, but there was no more details about that.
blog link: http://www.drupalgardens.com/documentation/site-management/admin-theme
Do you have any details about the security implications of enabling the permission Access the administrative overlay to anonymous users ?
Read moreEncrypting and decrypting content in Drupal
Last updated by ChandeepKhosa on Mon, 2017-11-06 11:15
There are at least two modules to do encryption in Drupal. This page compares those modules to help people choose a good one.
Last updated: 6 November, 2017
- Encrypt
- Includes multiple encryption methods from simple to complex depending on libraries available on the server
- Focused on being a simple API that doesn't do much on its own
- Uses CTools plugins for encryption methods and key providers
- Contains unit tests for all the features
Let's implement the sanitization bazooka: Autosanitization
Abstract
Wrong sanitization of user supplied strings, resulting in CSRF security issues, accounts for the vast majority of security announcements. Autosanitization (exactly: proper context stack aware autosanitization) would be the bazooka to end this once and for all. It is in reach und would be a unique feature among notable open source frameworks. The implementation requirements are described. Research is needed as of the D8 core requirements necessary to implement this in contrib land.
Anatomy of a sanitization issue
Consider a node title that is rendered like this:
Read more
Security team documentation now public - please help edit!
For a long time the security team documentation has grown in fits and starts inside of security.drupal.org with a somewhat challenging organization. About 9 months ago I started a process to archive unnecessary/outdated items, consolidate the good stuff, and organize it into a single google document for editing to allow people outside the team to help. Since then, several people helped out and in the last week (starting at Drupalcon Munich) Ben Jeavons and I moved it all to public book pages on Drupal.org. You can now find the previously private content inside:
Read morePlanning for Security implications of using external libraries
At Drupalcon Munich there was some discussion about introducing Symfony into Drupal and what that will mean for our security processes. Let's document our ideal scenarios for what we want an external library's maintainers to do before we incorporate it into Drupal. This should provide a framework for discussion with Symfony, but also potentially other libraries (e.g. Guzzle).
- The project should have a simple, well documented way to report bugs
Drupal Security Sprint (s.d.o, security issues)
- Interested in joining the Drupal Security Team?
- Want help to fix a vulnerability in a module you maintain?
- Want to learn about the team's process by helping us edit our own documentation and publishing it on drupal.org?
- Want to work on core security improvements with like-minded individuals
Come work with some of Drupal's Security Team members at Drupalcon Munich.
Having some skills in writing secure code are helpful for some of the tasks, but not all.
Read more
Blogs and security
Hopefully, this is the best place to post this -- if not, I'd love some direction where to find answers.
I have a D6 site with blogs, and my database is being attacked. There's spam comments in the database, but since I have comments turned off for now, they do not display. I even have the site set up to approve registration, but I see from the Drupal logs that people are becoming active without my intervention.
On StatCounter, I see 2 types of URLs that may have clues -- can you tell me what type of attack it is? And maybe how to prevent it?
Read moreMirror Drupal.org - Possible?
I have a situation where a few of our drupal installations are not allowed to access the internet. They can be accessed from the internet. Because of this, the Reports page always shows that Drupal core update status, HTTP request status, Module and theme update status Fail to get available update data or just plain fail.
Read moreSFTP for update manager uploading of themes in Drupal 7
We are trying to understand how to use the Drupal7 update manager UI to install themes using the Appearance tab->install new theme box interface.
What is the flow of operation / modules when a URL is pasted into the admin UM UI dialogue?
Read more
Writing code to disk securely
Greg asked me to post this here as a notice. There's a discussion in the Core issue queue about ways to write generated code to disk in a secure fashion. I won't reiterate everything from that thread, other than we think we've found a solution but it needs vetting from the security team. Any input there would be welcome. Thanks.
Read moreDrupal modules for Two-Factor-Authentication
Two factor authentication is becoming more popular as more and more sites get hacked based on password alone.
- Two Factor Auth - A framework to support a variety of methods as the second factor. The TFA Basic modules provides support for TOTP, recovery codes and SMS via Twilio. These modules are used on drupal.org to provide two factor authentication.
- GA Login uses the Google Authenticator software and smartphone app
ENHANCING SECURE CODE REVIEW MODULE
Hello all ,
I am doing GSoC project on enhancing secure code review that is an automated tool to locate vulnerabilities in the code .
You can find my project page on this link :-Security Review and GSoC Project proposal here :- Proposal on Melange
I have an approach that can help in locating xss vulnerabilities .Please provide me your feedback,suggestions and your opinions about this approach.
Read moreDealing with Denial of Service
There's a Drupalcon munich proposal about DOS but I thought maybe we could discuss it here as well in advance (or in case it's not accepted).
What kinds of attacks are people saying? Drupal specific, generic?
What tools do you use to defend against the attacks? What seem most effective? Any tools that you use regardless of budget or even if the budget is small?
Read moresecurity docs update
There's a comment on the impersonating a user safely documentation page that says it needs to be updated. I'll admit I haven't tried this out and am unsure. Can anyone say whether this is the right way to do it?
It's probably worth doing a general review of all the security docs pages on a regular basis.
Some top level pages that people can review:
* Writing secure code
* Secure Configuration
We should review those top level pages and the sub-pages.
Read moreResponse to Drupal 7.14 <= Full Path Disclosure Vulnerability
There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"
As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)
Please help improve that page to provide any additional, useful guidance.
Edit: For search engines: This has now been assigned CVE-2012-2922.
Read more
Site hacked
Hello, I have a 4.7.11 site that is suddenly displays rotating ads below the footer: http://projectharambee.org/
I didn't find anything changed in index.php in the root and page.tpl.php in the bluemarine theme folder.
The code for the ad does NOT show up in the source code of the page output. I don't understand how that is possible.
Would you please suggest what else to check and how to prevent this from happening in the future?
Read moreDisable execution of PHP in the files/ directory
SA 2006-006 makes it impossible to execute php inside the Drupal files directory on Apache servers. This is a defense in depth mechanism along with things like file_munge_filename and file extension limits in php.
Windows doesn't benefit from that change since the change was in .htaccess.
Is there a way to prevent IIS from executing files inside a specific directory? Is there some way we can bundle that up and ship it with Drupal like the web.config?
Read moreCharging clients for when Drupal security updates cause incompatibility issues
(please note that I write this article as a business owner, not an experienced Drupal dev!)
Our company charges an annual fee for identifying and applying security updates/patches for the Drupal sites we've designed, built, host and maintain.
Read more