Security

Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

mlhess's picture

Increase in malicious requests performing automated password reset resets

There appears to be an increase in malicious requests performing automated password reset on accounts. These automated requests seem to be requesting password reset for commonly used usernames like admin, moderator, etc.

Triggering a password reset email is not a security risk, directly. Site owners should check all accounts with elevated rights and confirm that the associated email address are correct. This automated attack maybe trying to take advantage of a previously compromised account having its email changed.

Read more
daggerhart's picture

Promote education around security severity notices through the [Security-news] emails

Hi all,

Summary: Additional links about security review process and severity determination would be beneficial to the average subscriber of security alerts.

Long story:
Yesterday there was a security notice around updating the backup & migrate module that sparked some needed conversations. This link is essentially the email that was sent out https://www.drupal.org/sa-contrib-2018-004

Read more
greggles's picture

Addressing meltdown/spectre in Drupal

The chromium project blog post about meltdown/spectre has some advice for web applications to increase their security in case a client has not upgraded.

Quoting the 3 main bullet points:

  1. Where possible, prevent cookies from entering the renderer process' memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.
Read more
shrop's picture

Drupal distribution security coverage and coverage of contained modules

I have questions about Drupal distributions and their security coverage. If a Drupal distribution has security coverage and modules contained in the distribution do not:

  1. Do the distribution's maintainers accept security coverage responsibility for the non-covered module?
  2. What are the other implications and gotchas in this scenario?

Thanks!
shrop

Read more
basav's picture

Drupal 8.3.7 - Code scanning issues by Fortify tool

Hi Team,

Our security team used Fortify tool to do a static code of Drupal 8.3.7 code base and found some issues. Mostly json injection, XSS etc

How are these threats perceived by the community? Are there any security drupal patches available which fixes these issues?

Cross-Site Scripting: DOM
1. backbone.js, line 1678 (Cross-Site Scripting: DOM)
The method start() in backbone.js sends unvalidated data to a web browser on line
1678, which can result in the browser executing malicious code.

  1. backbone-min.js, line 1 (Cross-Site Scripting: DOM)
Read more
François R's picture

Automatic checking of modules security states

Hi all

I'm running more and more sites on D7 and D8 and nedd a way to automatically check if all the hundreds modules these sites are running are safe (to me it means stable version, enough installs, actively maintained, no known vulnerabilities).
By now I haven't found a way to do so other tha uglyly parsing html found on https://www.drupal.org/security and https://www.drupal.org/project/project_module

Has anyone tried before?

Maybe the Drupal security team (as they have it all in their DB) could provide these data through a Rest API or at leas a csv file.

Read more
Drupal Security Team's picture

July 17th, 2017 Symfony security fix in Security component (CVE-2017-11365) - Drupal not affected

Symfony contacted the Drupal Security team about today's Symfony security release addressing an issue in UserPasswordValidator. This announcement is to reassure the Drupal community that Drupal 8 is not affected by this fix, as it does not make use of this security component. There is no Drupal 8 release scheduled for this, and there is no action you need to take on your Drupal site(s).

Read more
DamienMcKenna's picture

Official policy over security issues in vendor code that doesn't affect Drupal?

I could not find an official policy over whether PSAs are to be made regarding security notices for vendor code that doesn't directly affect Drupal, though I'm sure this has happened lots of times over the years and will continue to happen in the future.

I suggest we over-communicate to the community and take the effort to release a PSA that states Drupal core is not affected on situations where vendor security updates do not affect Drupal. We could even have a template message to publish for these scenarios, then just update the specifics and it's done.

Rationale

<

ol>

Read more
greggles's picture

FAQ about CVE-2017-6919 / SA-CORE-2017-002

This is a group of questions and answers to help explain SA-CORE-2017-002 which has CVE CVE-2017-6919.

Q: Can you explain the risks associated with this vulnerability, and what an attack would look like?

Read more
Jose Reyero's picture

Marking projects as unsupported / What is a Supported Project / Better policy needed.

As we've just seen recently with References project SA followed by the module being marked as unsupported, though this is just an example of many, this may be a major issue for thousands of sites using a module. May be you cannot disable it right away, there may be available replacements or not, but in any case this way of doing things (Unspecified SA, then Unsupported) is putting thousands of sites at risk.

I believe there should be better ways to handle these cases and though I don't know how exactly, it will need some discussion, here are just some ideas about it:

Read more
benjy's picture

Discussion around which holidays to avoid for security advisories

Today's security advisories were released the day before everyone goes on a 4 day break here in Australia and therefore put a lot of pressure on agencies to have all the security issues patched in the last day of work.

We already have a list of holidays and events we try to avoid here - https://www.drupal.org/node/1762316 - I'm proposing we add the Easter break to that list but would welcome feedback from others on holidays that should or should not be included in the list.

Read more
DamienMcKenna's picture

Clearly document what things are not considered security issues

We have clear(-ish) instructions on how to report a security issue but we don't clearly define what we consider not to be a security problem. It would be useful if we had a clearly defined list of things that are not considered security issues to reduce the amount of issues being opened unnecessarily, thus reduce the amount of time needed to triage the security issue queue; also, this list should either be present on the "how to report" page or at least linked off it right at the top of the page.

Read more
DamienMcKenna's picture

Document policy on who gets credit on SAs

While it is mentioned in some locations, the security team's policy is not made completely clear on who gets credit on an SA or what format it will be in. It was briefly discussed before (https://groups.drupal.org/node/194073) and here's the SA form fields have default values like the following:

<

ul>

  • <a href="https://www.drupal.org/user/XXXUID">Real Name</a>
  • <a href="https://www.drupal.org/user/XXXUID">Real Name</a> of the Drupal Security Team
  • Read more
    DamienMcKenna's picture

    Define a policy on how to handle security issues opened on drupal.org for security-team-supported projects

    We need some clarification and standardizing around how to handle an issue logged on the public drupal.org site for a project which is covered by the security team. There currently isn't a standard process, though the following appear to be the defacto process:

    • The node is unpublished.
    • An sdo issue is created if needed.
    • The person is added to the sdo issue.

    This leaves a few open questions:

    <

    ul>

  • Webmasters looking at an unpublished node may not be aware of why it's unpublished and might mistake it for e.g. spam.
  • Read more
    DamienMcKenna's picture

    Define a policy on how long distributions should wait before releasing security updates

    One thing I've noticed is that there are no policies around how quickly distributions should be updated once one of their dependencies has a security update. It might be useful to have one. I'm sure there are some packaging / d.o UI improvements that might help with this too, e.g. https://www.drupal.org/node/2842816, or maybe an opt-in thing to automatically update distributions?

    Read more
    betz's picture

    Sleep is Gold: Proposal to shorten the security updates release window.

    Disclaimer

    As I don't find a issue queue for the security team (probably a good thing), I am posting this here.
    Thanks @DamienMcKenna for pointing me to this direction.

    Problem/Motivation

    Currently the security updates window is every wednesday between 12 noon and 5pm Eastern time.
    Depending on where you are in the world, this might be outside office hours.
    Belgium is such a case, where the release window is currently between 5pm and 11pm.
    Such a wide release window makes it very hard and expensive for individuals to be on call for possible releases.

    Read more
    xjm's picture

    Drupal 8.x core release on Monday, July 18 (update to previously scheduled window)

    The Drupal core security release window has been moved to Monday, July 18. See the PSA announcement for the release for details.

    Read more
    sinn's picture

    One another way to sanitize database - DB Sanitizer

    Problem/Motivation.
    Drupal stores data for each entity in few tables: base table, field tables, revision table, field revision tables. It becomes difficult to support script for cleaning database when we have a lot of entities in a project and structure of entities are changed periodically.

    Existing method of cleaning database from personal and critical data drush sql-sanitize command has few restrictions: need to implement hook_drush_sql_sync_sanitize in your modules and write all sql commands manually, need to keep in mind entities structure and it doesn't have UI.

    Read more
    greggles's picture

    Discussion for RCE in Contrib PSA and announcements

    Hi!

    Based on a lot of discussion, especially in this thread, the security team adjusted the way we announced the most recent contrib module releases.

    • We did a psa 24 hours in advance and named the time of the release
    • The PSA (after editing, whoops, should have been in the initial version) included the number of installed sites roughly
    • We have a security scale and could specifically say how critical the upcoming issues were
    • We used twitter to talk about it as well
    Read more
    greggles's picture

    New feature in paranoia module: sanitizing db tables based on a whitelist approach

    Hi,

    I'm excited to announce a new feature in the paranoia module: database sanitizing based on a whitelist.

    The main way to sanitize databases now is drush sql-sanitize which works on a blocklist approach. If you add a module or table to your site that stores data in the database that you want to clean up then you must actively add a hook_drush_sql_sync_sanitize that will declare the right command, but it doesn't say if it has cleaned up all the columns in the table.

    Read more
    Subscribe with RSS Syndicate content