security

Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.

Summary

The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.

Hi all,

The slides and videos from Appsec USA are now online: http://www.appsecusa.org/schedule.html#slides_video

Lots of them seem interesting. I'm currently watching the one on bounties (pdf and video).

Any others that seem interesting to you?

When a module maintainer is not communicating/fixing a security issue in a timely manner the security team needs to communicate about the problem in the module to site owners.

• We send an SA which gets picked up by rss readers and e-mail subscribers and twitter
• We unpublish the module releases so that the update.module will notify site owners that support for a module in use on their site has been revoked, this then notifies them to visit the project page for more information so...

Hello Security folks and marketers,

I'm collaborating with Jojo Toth (mogdesign) on a marketing piece about security in Drupal. It will mostly be about the process of handling an issue. We're trying to brainstorm what statistics we might want to use, but most of them end up seeming negative when you first look at them. For example, if we brag that we handled ~60 issues in 2011 then that looks like Drupal is insecure ("wow, 60 issues is a lot!") until you dig into the facts that this was across Drupal core and ~5,000 contributed projects.

It came to our attention that quiz module is vulnerable to Cross Site Scripting attack. Now it has been fixed and a release was rolled out with necessary fixes. Upgrade your site to quiz version 6.x-4.3. See http://drupal.org/node/1336922 for details.

Just wondering is there is any specific approach to (additional) server security for Debian Squeeze BOA?

I want to block specific country IP ranges (eg: Nth Korean origin of root SSH log in attempt).

Additionally, any specific advice on non-BOA Debian installation and configuration options?

In addition to blocking certain country IP ranges that simply are not within my target audience, I am also looking at installing fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) for more dynamic protection.

Needs some help being pointed in the right direction.

I am working on a Continuing Education ( CE ) hours manager for a non-profit Assocation, the issue I am coming up with is when a member completes a local workshop we are planing on handing them a business card with a QR code ( URL encoded: http://URL/workshop/WORKSHOP_ID/UNIQUE_ID ) as well as the workshop_ID and the Unique_ID and the name of the workshop for manual entry

Received invite today. I'm a long-term gmail user but got scared while building my google+ "circles". This is a great user interface but I'm just not comfortable sharing my relationships with Google's core.

Since federal agencies can access these records without a warrant or notification, why should I make it easier for them? (Even though I am a law abiding citizen.)

Looking for help understanding the best practices for keeping sites built with OpenPublish secure and up-to-date.