Detailed response to publicly posted CSRF concerns in Drupal 7.12
Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.
Summary
The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.
Read moreVideos and some slides from appsecusa online
The slides and videos from Appsec USA are now online: http://www.appsecusa.org/schedule.html#slides_video
Lots of them seem interesting. I'm currently watching the one on bounties (pdf and video).
Any others that seem interesting to you?
Read moreShould modules be marked "abandoned" if their releases are unpublished
When a module maintainer is not communicating/fixing a security issue in a timely manner the security team needs to communicate about the problem in the module to site owners.
- We send an SA which gets picked up by rss readers and e-mail subscribers and twitter
- We unpublish the module releases so that the update.module will notify site owners that support for a module in use on their site has been revoked, this then notifies them to visit the project page for more information so...
Statistics about the Drupal Security Team
Hello Security folks and marketers,
I'm collaborating with Jojo Toth (mogdesign) on a marketing piece about security in Drupal. It will mostly be about the process of handling an issue. We're trying to brainstorm what statistics we might want to use, but most of them end up seeming negative when you first look at them. For example, if we brag that we handled ~60 issues in 2011 then that looks like Drupal is insecure ("wow, 60 issues is a lot!") until you dig into the facts that this was across Drupal core and ~5,000 contributed projects.
Read moreCross Site Scripting Security vulnerability in quiz
It came to our attention that quiz module is vulnerable to Cross Site Scripting attack. Now it has been fixed and a release was rolled out with necessary fixes. Upgrade your site to quiz version 6.x-4.3. See http://drupal.org/node/1336922 for details.
Read moreSecurity - blocking Korean IP ranges
Just wondering is there is any specific approach to (additional) server security for Debian Squeeze BOA?
I want to block specific country IP ranges (eg: Nth Korean origin of root SSH log in attempt).
Additionally, any specific advice on non-BOA Debian installation and configuration options?
In addition to blocking certain country IP ranges that simply are not within my target audience, I am also looking at installing fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) for more dynamic protection.
Read moreLogin Redirect
Needs some help being pointed in the right direction.
I am working on a Continuing Education ( CE ) hours manager for a non-profit Assocation, the issue I am coming up with is when a member completes a local workshop we are planing on handing them a business card with a QR code ( URL encoded: http://URL/workshop/WORKSHOP_ID/UNIQUE_ID ) as well as the workshop_ID and the Unique_ID and the name of the workshop for manual entry
Read moreSecurity Scared
Received invite today. I'm a long-term gmail user but got scared while building my google+ "circles". This is a great user interface but I'm just not comfortable sharing my relationships with Google's core.
Since federal agencies can access these records without a warrant or notification, why should I make it easier for them? (Even though I am a law abiding citizen.)
Read moreUpdating OpenPublish - Best Practice Recommendations?
Looking for help understanding the best practices for keeping sites built with OpenPublish secure and up-to-date.
Read more