Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Security update notification based on permission needed to exploit vulnerability
I manage numerous Drupal sites, and have run into a kink in my procedure that I'd imagine many others share. Many people have their sites notify them whenever a security update applies to them, and promptly install that security update. Generally that's a good practice, and leads to relatively stable and secure sites.
Read moreBest Practices for determining if a drupal theme is secure?
I am a little new to drupal, but one common task for many people is to get theme(s) for their drupal sites. I understand just enough to know a drupal theme could perhaps have a security flaw e.g. xss if check_plain, check_markup, filter_xss not used properly?? However, I like many other newbies do not have enough knowledge to properly test this.
Read more
Security bugs: Bounties vs. Blackmarket
I just read this article on forbes: shopping for zero days which points out that bounties for bug reports are less valuable when the black market is willing to pay much more money for the issue.
Of course I hope that people will always report security issues to security@drupal.org and work with that process to fix issues it's an interesting read, nonetheless.
Read moreResponse about SA-CONTRIB-2012-036
Hi everybody!
I just want to make you aware of discussion going on about recently SA-CONTRIB-2012-036 @ http://drupal.org/node/711000#comment-5734594
It would be great if you could provide your point of view, if you find that is necessary.
Please don't take this as disrespect or judging your work - I just don't see appropriate to create picture about Drupal security team as Drupal overlords. :/
Thx.
Read moreDetailed response to publicly posted CSRF concerns in Drupal 7.12
Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.
Summary
The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.
Read moreSnowfroc Security Conference 2012 near Drupalcon Denver
At the same time as Drupalcon Denver there will be an event about 15 minutes walk away called SnowFROC which is the Front Range OWASP Conference. OWASP being the Open Web and Application Security Project.
Historically this event has been pretty huge drawing in famous speakers delivering presentations they go on to deliver again at Defcon or Blackhat.
They are currently looking for submissions of papers. Registration is also open.
Read more
Tiny-IDS - a tiny intrusion detection system
http://drupal.org/project/tinyids
After several conceptual changes, I finally created a first dev release.
It's still under development but I would really appreciate deep code and functionality reviews on the current state.
Feel free to express your opinion and discuss about the general implementation in the issue queue.
regards.
Read more
Proposal to remove file signing from the configuration system
I recently posted the following issue to remove file signing from the Drupal 8 configuration system
http://drupal.org/node/1444620
I would love for some feedback from the security-savvy members of this group as to whether this is a viable option.
Thanks!
Read moreVideos and some slides from appsecusa online
The slides and videos from Appsec USA are now online: http://www.appsecusa.org/schedule.html#slides_video
Lots of them seem interesting. I'm currently watching the one on bounties (pdf and video).
Any others that seem interesting to you?
Read moreAcquia's Drupal Security Training at Drupalcon Denver - March 19
First, if you haven't signed up for Drupalcon definitely consider doing so.
If you will be there, consider signing up for the full day class Security: Process, Code & Hands-on Training.
This is an updated version of previous trainings and will be co-presented with Erik Webb.
Signups are rolling in and space is limited. Plus, if you sign up by February 21 the price is $50 lower than normal.
Read moreSeparating administrator content from user content
Hello,
My name is Manu Cuche. I am currently in my third (and last) year of computer science at Lessius Mechelen College. I have recently started working on my final project. For this project I have chosen the subject of security in Drupal, more specifically about separating administrator content from user content. I understand that this is a known issue in Drupal, and my first goal is to properly understand and define this issue. To do this I would like to ask for your help.
Read moreDrupal Association should play fair game for hosting companies, wishing to get listed on http://drupal.org/hosting
Dear All,
Current practice is that Drupal Association requires from new applicant hosting companies, which wish to get listed on http://drupal.org/hosting, to pass security test of Security Review module. And it is difficult to pass the test without applying additional layer of complexity to certain setups. This practice represents unfair barrier for hosting companies, which want to provide Drupal-specific hosting services and which can not practically pass the test, therefore should be reviewed or cancelled.
Read moreShould modules be marked "abandoned" if their releases are unpublished
When a module maintainer is not communicating/fixing a security issue in a timely manner the security team needs to communicate about the problem in the module to site owners.
- We send an SA which gets picked up by rss readers and e-mail subscribers and twitter
- We unpublish the module releases so that the update.module will notify site owners that support for a module in use on their site has been revoked, this then notifies them to visit the project page for more information so...
Best practices for deprecating old module/adding new release
I'm wondering what is the best practice for creating new releases of modules and deprecating the old version, in terms of maintaining security while the new version proceeds to release status. I'm asking this as a Drupal newbie.
Read moreLDAP Attributes in Fields added to User entity
I maintain the LDAP module for drupal 7. In the next version I was considering moving some of the data in $user->data array into fields attached to the the user entity. These fields would have the UI widget of "hidden".
This would make integration with feeds, migrate and other modules much easier. The data would be ldap cn, ldap dn and other ldap attributes.
From a security perspective, is there any advantage to $user->data or hidden fields on the user entity?
Read moreStatistics about the Drupal Security Team
Hello Security folks and marketers,
I'm collaborating with Jojo Toth (mogdesign) on a marketing piece about security in Drupal. It will mostly be about the process of handling an issue. We're trying to brainstorm what statistics we might want to use, but most of them end up seeming negative when you first look at them. For example, if we brag that we handled ~60 issues in 2011 then that looks like Drupal is insecure ("wow, 60 issues is a lot!") until you dig into the facts that this was across Drupal core and ~5,000 contributed projects.
Read moreWhere to link credit for finding/fixing issues
Currently when someone reports an issue to the team, or fixes an issue, or coordinates an issue we link to their name in the security advisory.
There are two problems with this:
- Sometimes people report issues who do not have accounts on drupal.org
- Some researchers or involved parties (team members, developer) might prefer that we link to their site
I'm a bit torn on the proper way to handle this.
I looked around at what other organizations do:
Read moreArticles about security in other CMS
(re-posting from some docs that were private but can be public).
Let's look at other systems and what they do (or don't do) that we can learn from.
http://lorelle.wordpress.com/2008/04/28/wordpress-security-prevention-re...
http://ma.tt/2008/04/securityfocus-sql-injection-bogus/
Good list of reasons why people do not want to upgrade
- http://blogsecurity.net/wordpress/tools/wp-scanner/
- http://blogsecurity.net/wordpress/wordpress-security-whitepaper/
Consider adding all permissions with "restrict access" to those tha will not get an SA
We have a security policy page that says if a vulnerability requires a specific list of permissions then the team will not send an SA for the issue. In Drupal 7 we have hook_permission with more options like "restrict access" which can be set to TRUE to warn users about the permission being important.
I propose that we add a bullet point text to the security policy page to say:
Read moreHow to locate Drupal security expert?
So, I am guessing that there might be a better forum than this, but I am kind of in a crucial situation. If I should be in another group with this post, please let me know - nothing appeared to me to be better in my search.
Anyhow, I think that I have a compromised install, a recent Drupal 7 site, with Ubercart. I was testing the ecommerce stuff, making small CC transactions, and this morning, I get a fraudelant charge on my card that I've been testing with. Nothing big, $15, and I caught it while it was still pending and cancelled the card. My situation/questions are as follows:
Read more