responsible disclosure

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
greggles's picture

New module to help researchers identify valid sql injection vulnerabilities

For anyone who runs a "responsible disclosure" program, you are probably used to getting reports of SQL injection that are not valid. SQL Injection can be tough for an independent researcher to validate because demonstrating it either requires a lot of time (to fingerprint the structure and get some secret) or a damaging interaction (dropping some tables?) or both.

Read more
greggles's picture

Detailed response to publicly posted CSRF concerns in Drupal 7.12

Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.

Summary

The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.

Read more
Subscribe with RSS Syndicate content