security

Hi,

I'm reviewing a sandbox project for Drupal7 called Overlay Links that encourage to enable the overlay module for anonymous users.
review comment: http://drupal.org/node/1811482#comment-6609236

I've read on some blog that doing this have security concerns, but there was no more details about that.
blog link: http://www.drupalgardens.com/documentation/site-management/admin-theme

Do you have any details about the security implications of enabling the permission Access the administrative overlay to anonymous users ?

Hola!
en un rato tonto estoy haciendo un escáner en ruby que me indique la versión y vulnerabilidades de un sitio Drupal dado.
me dirijo a vosotros para ver si podemos hacer en común una lista de inseguridades o prácticas no recomendables para chequearlas con mi script y advertir de ellas con él.
No se, así de primeras, creo que los ficheros
CHANGELOG.txt, COPYRIGHT.txt, INSTALL.mysql.txt, etc ...
deberían borrarse (opinión discutible, lo se) ¿se os ocurre alguna idea mas?

Thanks for any help. I thought this would be the perfect place to ask my question.

My setup: Drupal 7.15 / IIS 7.5 / PHP5.3 / SQL Server 2008

I started receiving these crazy "Permission denied in drupal_unlink()" errors after an update from 7.13 to 7.14 (and then 7.15). At first, I focused on the permissions for the tmp directory. But after getting some assistance from Drupal's issue queue, I was able to pinpoint the problem as being related to the "sites/default/files" directory.

Hello,

Hola,
tengo un servidor debian con openssl 0.9.8 y estoy intentando impedir la vulnerabilidad BEAST, hasta el momento sin éxito. Utilizo nessus para detectarla...

Si alguno sabe como resolverla le agradecería su aporte!.

En la mayoría de los sitios dicen de permitir únicamente TLSv1.1 o 1.2 pero con la versión de openssl que tengo no es posible que yo sepa.

Estas son las URLs con la info que he visto:

• Manual de tests
  https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

• tools genericas
  http://www.pentesterscripting.com/discovery/ssl_tests

There's a comment on the impersonating a user safely documentation page that says it needs to be updated. I'll admit I haven't tried this out and am unsure. Can anyone say whether this is the right way to do it?

It's probably worth doing a general review of all the security docs pages on a regular basis.

Some top level pages that people can review:
* Writing secure code
* Secure Configuration

We should review those top level pages and the sub-pages.

There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"

As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Please help improve that page to provide any additional, useful guidance.

Edit: For search engines: This has now been assigned CVE-2012-2922.

(please note that I write this article as a business owner, not an experienced Drupal dev!)

Our company charges an annual fee for identifying and applying security updates/patches for the Drupal sites we've designed, built, host and maintain.

I just read this article on forbes: shopping for zero days which points out that bounties for bug reports are less valuable when the black market is willing to pay much more money for the issue.

Of course I hope that people will always report security issues to security@drupal.org and work with that process to fix issues it's an interesting read, nonetheless.

I am looking to hire an independent contractor to help me with security updates to a few Drupal sites. This person should be very comfortable with backups and updates and be willing to work for about $45 an hour. Work will be sporadic; just a few times a year. Please contact Karen at karen@rainsongdesign.net if you are interested. thanks!