Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

mcuche's picture

Separating administrator content from user content


My name is Manu Cuche. I am currently in my third (and last) year of computer science at Lessius Mechelen College. I have recently started working on my final project. For this project I have chosen the subject of security in Drupal, more specifically about separating administrator content from user content. I understand that this is a known issue in Drupal, and my first goal is to properly understand and define this issue. To do this I would like to ask for your help.

Read more
removed0's picture

Drupal Association should play fair game for hosting companies, wishing to get listed on

Dear All,

Current practice is that Drupal Association requires from new applicant hosting companies, which wish to get listed on, to pass security test of Security Review module. And it is difficult to pass the test without applying additional layer of complexity to certain setups. This practice represents unfair barrier for hosting companies, which want to provide Drupal-specific hosting services and which can not practically pass the test, therefore should be reviewed or cancelled.

Read more
greggles's picture

Should modules be marked "abandoned" if their releases are unpublished

When a module maintainer is not communicating/fixing a security issue in a timely manner the security team needs to communicate about the problem in the module to site owners.

  • We send an SA which gets picked up by rss readers and e-mail subscribers and twitter
  • We unpublish the module releases so that the update.module will notify site owners that support for a module in use on their site has been revoked, this then notifies them to visit the project page for more information so...
Read more
Charles Belov's picture

Best practices for deprecating old module/adding new release

I'm wondering what is the best practice for creating new releases of modules and deprecating the old version, in terms of maintaining security while the new version proceeds to release status. I'm asking this as a Drupal newbie.

Read more
johnbarclay's picture

LDAP Attributes in Fields added to User entity

I maintain the LDAP module for drupal 7. In the next version I was considering moving some of the data in $user->data array into fields attached to the the user entity. These fields would have the UI widget of "hidden".

This would make integration with feeds, migrate and other modules much easier. The data would be ldap cn, ldap dn and other ldap attributes.

From a security perspective, is there any advantage to $user->data or hidden fields on the user entity?

Read more
greggles's picture

Statistics about the Drupal Security Team

Hello Security folks and marketers,

I'm collaborating with Jojo Toth (mogdesign) on a marketing piece about security in Drupal. It will mostly be about the process of handling an issue. We're trying to brainstorm what statistics we might want to use, but most of them end up seeming negative when you first look at them. For example, if we brag that we handled ~60 issues in 2011 then that looks like Drupal is insecure ("wow, 60 issues is a lot!") until you dig into the facts that this was across Drupal core and ~5,000 contributed projects.

Read more
greggles's picture

Where to link credit for finding/fixing issues

Currently when someone reports an issue to the team, or fixes an issue, or coordinates an issue we link to their name in the security advisory.

There are two problems with this:

  • Sometimes people report issues who do not have accounts on
  • Some researchers or involved parties (team members, developer) might prefer that we link to their site

I'm a bit torn on the proper way to handle this.

I looked around at what other organizations do:

Read more

Articles about security in other CMS

(re-posting from some docs that were private but can be public).

Let's look at other systems and what they do (or don't do) that we can learn from.

Good list of reasons why people do not want to upgrade

Read more
greggles's picture

Consider adding all permissions with "restrict access" to those tha will not get an SA

We have a security policy page that says if a vulnerability requires a specific list of permissions then the team will not send an SA for the issue. In Drupal 7 we have hook_permission with more options like "restrict access" which can be set to TRUE to warn users about the permission being important.

I propose that we add a bullet point text to the security policy page to say:

Read more
robertwb's picture

How to locate Drupal security expert?

So, I am guessing that there might be a better forum than this, but I am kind of in a crucial situation. If I should be in another group with this post, please let me know - nothing appeared to me to be better in my search.

Anyhow, I think that I have a compromised install, a recent Drupal 7 site, with Ubercart. I was testing the ecommerce stuff, making small CC transactions, and this morning, I get a fraudelant charge on my card that I've been testing with. Nothing big, $15, and I caught it while it was still pending and cancelled the card. My situation/questions are as follows:

Read more
Shai's picture

Is it a Security Risk for Nodes to Have Authorship of "Anonymous" (uid=0)

Hi folks,

Is it a security risk for nodes to have a uid = 0?

I have a client in which I took over an existing site which was migrated from another CMS. The developer migrating the site assigned all the content to uid = 0 (About 1200 nodes).

My gut hates this, but before I tell the client it is a security risk, I want to know why, if it is.

The only thing I can think of is if the anonymous user role had the permission, "edit own content" or some other node permissions.

I would never assign those roles to Anonymous and I'm the only who can assign permissions on the site.

Read more
Shai's picture

Drupal Installations Attacked

My server was attacked and code files added and changed on four of about twenty drupal installations I have on the server.

I think I discovered this within 24 hours of it happening.

I've deleted inserted files and reverted changed files back to their previous state. Having these sites under SVN control has been hugely helpful.

As far as I can tell the sites are functioning normally and the databases intact. But I need to do further investigation.

Here is my set-up and what I know.

Read more

Revisiting: Goals of Drupal Security Team - Part 1 brainstorming

From our page in the handbook The security team's stated goals are:

  • Resolve reported security issues.
  • Provide assistance for contributed module maintainers in resolving security issues.
  • Provide documentation on how to write secure code.
  • Provide documentation on securing your site
Read more
amax's picture

Hacked with c999 shell

Hi All, I was wondering doesn anyone have any info on how to remove the c999 shell from a hacked Drupal install. The hacker was able to upload a file through an old Drupal 6 website which installed this shell in some way. The script that did this was uploaded from the /files/images/ directory. We have upgraded the whole website (core and third party modules) and have it running on a local system now again. However, when browsing some pages, e.g.

Read more
RKopacz's picture

How to Check Database for Code / Script Injections

I have a question, not sure where to post it. I suffered a hack to a Drupal site. I suspect that the hacker got in through the hosts admin panel and thereby got access to the root via FTP, the Database, everything. I want to be sure that no malicious script or code was injected into the database. Is there a protocol for checking this, specific to the Drupal DB?

If there is a better place to post this, please advise & thanks in advance.

Read more
navaneeth_r's picture

Cross site scripting report on Acunetix vulnerability scanner tool

I got the report from Acunetix tool that site have more than 50 cross site scripting possibilities through url. The tool is reporting the following urls. They are changing urls like /nodeprompt("hi") ; and reporting cross site scripting possibilities. How to solve this in Drupal. Please suggest any one. I post the fix once identified.


Read more
Jurjen de Vries's picture

Javascript exploit filter

Is there a posibility / module to filter exploided javascript? My editors like to add embeded javascript to the site for new (eg Google Plus) or less used services, but I don't want create security holes by this.

Read more
greggles's picture

Drupal Scout Security Training: Learn to attack and protect your site July 25th

2011-07-25 09:00 - 17:00 America/New_York
Event type: 
Training (free or commercial)

On July 25th, just after the Capital Camp, Ben Jeavons and Greg Knaddison from Drupal Scout will be giving a training about how to secure your Drupal site.

The full day course is $450.

It is broken apart into several sections:

  • Introduction to philosophy of development with a security focus
  • Overview of most common vulnerabilities
  • Specific review of Drupal's most common problems
    • Cross Site Scripting (XSS)
    • Spam/automation
    • Cross Site Request Forgeries CSRF
Read more
ay4you's picture

Master - Slave Solution

Please bear with me if i am creating this question in the wrong place i am new to Drupal groups.
I manage an enterprise solution for 4 drupal sites very high transactional and with high traffic.
i use pressflow on 6 web servers with memcached and a master slave replication, they seem to be fine but i want to reduce the load on the master so i want to make 2 slave part of the solution, since i am using pressflow with supports master-slave replication solution.

Read more
webchick's picture

The way we do security vs. bug fix releases is confusing the crap out of people

On the thread about a predictable release cycle for core, a large sub-thread opened up about the fact that everyone, including Dries, hates the way we do security vs. bug fix releases. It's confusing and unclear.

The current policy, explained

I couldn't actually find a handbook page explaining the current policy, so I made one. Here's a copy/paste of that here.

Read more
Subscribe with RSS Syndicate content