Flex and Services security
I'm using Flex to build cross-domain widgets that can be embedded on any domain. These widgets consume data via Services and AMFPHP. Unfortunately, I've been notified that my site is now vulnerable to attacks because I have a liberal crossdomain.xml policy file that allows connections from any domain.
Read moreRequest For Comment(RFC): User Reports Module
I'm excited about building a module that, if designed properly, would useful to others. I see how it might be useful for the development of a human resources department for personnel reviews and really any place where reports or static documents pass from one party to another.
I am building a community site based around an organization. We produce custom reports for many of the community members and provide them through a very simple and custom php app on our website. I want to move this to drupal to take advantage of the other powers to build community, as well as flexibility to improve access to these reports for archive purposes.
This has been floating around in my head for several months, but I've not developed a drupal module before so I crave review, comment and even participation.
Read moreOAuth and Security
One issue with the Services API is its weak implementation of API keys. Although it does work, it could be better. It is probably worth it to investigate OAuth, an open protocol to "allow secure API authentication in a simple and standard method from desktop and web applications". Some of you got the chance to see Boris' talk on this in Boston at Drupalcon, any thoughts? How would it effect Services?
Read moreDrupal and security
I have been trying to convince a friend who runs a small business with a very static website to switch to Drupal. His impression - and he got the same thing when he asked a friend about it - is that anything which is open source can't be all that secure, because people have access to the source code. I told hime that access to the code isn't so important as encryption, but had to admit it isn't my area of expertise.
Read moreWhat about Services security?
Hi!
(Unfortunately I couldn't find any information about the subject so I've decided to ask the group memebers wheter they can help.)
I'm creating a flex application using Drupal, Services and AMFPHP. The whole bunch is looking good, but I've a small problem with the security. It is OK to require API KEY and SESSION ID from each request to gain security, but.
My problem is, AFAIK, I can save a node without the right permission.
Read moreMy Landscaping Ideas Passion and Drupal
Hi to all! I'm using Drupal 4.7.X platform on one of the landscaping ideas sites as a gardening tips section (actually, I like the easiness of using Drupal to add small articles to this section). I saw 5.2 is now available where some problems are fixed concerning security vulnerabilities.
Is it still OK if I use 4.7 or upgrading is needed?
Mike
Read moreImproved security in the login
Honestly I'm the one hating cross posts, but I know it will be lost in the drupal's forum torrent of help request posts, so I decided to introduce again in a more suitable place, this community group. Sorry for the inconvenience! :D
I've developed a little module (5.X version of drupal ONLY) to control and disrupt the login operation on certain situations, improving the site security with new options.
You can find the module here:
http://www.drupal.org/project/login_security
I've included the readme.txt of the module in the post for so you can read it withouth downloading.
Read moreAhah Forms v1.5 - Secure Dynamic Subforms
At the Drupal Summit, chx & eaton let me know that avoiding the FormAPI security by directly accessing $_POST was a bad idea. So I dropped the slide out of my presentation that talked about how to create dynamic subforms, and spend the last two weeks hacking like mad. I now have an approach that I believe combines convience and security. It is packaged up in Ahah Forms v1.5 as the dynamic_subform.module. It uses the same basic algorithm as drupal_get_form when #multistep is true (but is incompatible with #multistep, so don't try to use both of them).
I have a full write up at: Secure Dynamic Forms and Subforms, but here is an example of the functions in use:
Read moreDetails on Open Wall Linux (OWL) and a follow up on identity
Last night I mentioned that our servers run Open Wall Linux. This morning I saw this blog post from our System Administrator, my partner and Identity Expert Fen Labalme. Here is more information on OWL.
And while I am posting, Fen recently posted this about OpenID.
Read moreNew system for releasing Drupal contributions
Cross-posting from http://drupal.org/node/77562 ...
We've seen explosive growth in 2005 and 2006 based the ability for Drupal sites to rapidly deploy new features that meet real world customer needs, not just fulfill technical requirements. This project aims to increase consultant and site administrators ability to effectively manage releases, security, versioning, issue tracking, and feature deployment into customer ready production environments. By directly improving the Drupal.org release and project management infrastructure we will speed up the life cycle for meeting customer and user requirements and ultimately improve the ability to manage Drupal web sites. Donating to this effort (via the PayPal link on the full proposal) provides funding to accelerate volunteer contributions the Drupal.org project maintainers have made over the past 8 months.
Overview
- Contributions will have real releases and version strings, just like Drupal core itself
- Security announcements will refer to exact versions of modules that are effected
- Issues will be tracked by the exact version number of the contribution where the bug is present
- Development branches for any given version of the Drupal core -- maintainers can add new features to their module or theme without endangering the stability of other code that is compatible with the same version of Drupal core.
- All contributions will be clearly identified with the version of Drupal core they are compatible with
For the rest of the proposal, please see the full post on drupal.org.
Read more




