Locking vendor accounts after their job is over, locking inactive admin accounts at 90 days
Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.
There are two policies that create a solution to this problem:
- If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
Are all Drupal 7.2x sites NON PCI compliant because of CVE-2011-2687, the node access bypass threat ?
Hi team,
Sorry if this is in the wrong place, but extensive Googling couldn't find an answer.
We've just had a PCI compliance scan done by Trustwave, which says we need to fix CVE-2011-2687,
node-access-bypass insecurity, which was fixed in Drupal 7.3. See: https://drupal.org/node/1204582.
But the last release of Drupal 7.3 was in 2011!
And Drupal.org home page says that 7.28 is the current release.
So does this mean every Drupal site in the world running the 7.2x branch
including 7.28 is not PCI compliant?
