security

Hello. I'm thinking of developing a "poor man's" one-time password (OTP) module. I call it a poor man's OTP since it will not require the purchase of a hardware key fob for generating passwords and the one-time passwords will be emailed to a mobile phone using a secure SMTP server rather than a SMS gateway which usually incurs a fee.

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

Ben and I are happy to have just launched http://drupalsecurityreport.org/

After several months of working on this project the paper has reached 1.0 status.

Of course it wouldn't have been possible without the support of many sponsors and reviewers:

• Cydeck
• Clarity Digital Group
• Acquia
• Chapter Three
• Growing Venture Solutions - GVS
• Krimson
• Zivtech
• Ustima

Drupal.org has issues a security advisory about a Views vulnarability today: http://drupal.org/node/765022

Immediate update is required for all OpenPublish versions.

So - has anyone else had a chance to look at the Adobe Flash vulnerability?

http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_site...

It would appear that there is no easy way to handle it short of their suggestion to serve back all user-supplied content from a different domain. I can't see any logical way to accomplish that via Drupal considering the wide range of site sizes and complexities.

A client wanted to send over some confidential information and was wondering how to password-protect a zip file. Incredibly, I couldn't find any graphical zip archive utilities for OS X that encrypt files, work in Snow Leopard and are free. 7zX claims to do this but it has some scary user-submitted reviews. Zippist looks promising but it doesn't seem to work in Snow Leopard. I actually use Path Finder or the command line for this, but it's unreasonable to ask most clients to do the same.

A zero-day flaw in the TLS and SSL protocols has been made public and man-in-the-middle attacks have been demonstrated. I caught wind of this off of ZDnet.

http://news.zdnet.co.uk/security/0,1000000189,39860592,00.htm

Thoughts?

I have to admit, Im overwhelmed about the amount of Drupal modules created that deal with security. It seems many are for keeping specific module types from doing insecure things or providing holes in security. So, what about a basic install with Views, CCK, Pathauto, Forums, Blogs, and little else. What are the most useful security modules out there?

-overwhelmed by modules
Mary

It took some time, but finally the 6.x-1.0 version of Login Security module is out. For a brief introduction to the module features please go to the module documentation. The README file included in the module explains the different options for the module settings and a configuration example.

Hope you enjoy the module!