Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Security vs core policy
One of the reasons Drupageddon's impact was so large was that it was so easy to exploit. PoCs show this, and quite possibly made it easier and faster for attackers to exploit, especially attackers not so familiar with Drupal. For example, just before the announcement, in Drupal 7.32's test code and its second-to-last commit: http://cgit.drupalcode.org/drupal/commit/?id=449c702.
Read moreTime for an auto-patcher for Drupal?
The Sophos article on the Drupageddon followup PSA makes a solid argument for an auto-upgrading system built into Drupal, as an effective means to reduce the impact of things like Drupageddon.
Wordpress already has such a thing. Drupal already has a self-upgrading system, but it is not automated or promoted as a useful tool for securing a website. It also doesn't support patching (though that might not be necessary).
Thoughts?
Read more
Email spam generators (PHP) found amongst module files.
Hi All,
I recently received an email from my host (Arvixe) stating that they had disabled a script on one of my D7 sandbox sites due to large quantities of spam email emanating from there.
Upon investigation I found an encrypted PHP file called "sql91.php" in my modules/field/modules/options folder. I later discovered a second bogus file called "sraynr.php" in a different folder. Both of these files have been called from Russian IP addresses:
146.185.239.52
146.185.239.51
Follow up Drupageddon responsibly
For most security advisories, announcing the vulnerability and fix is good enough. But Drupageddon is an exceptional SA; the Drupal community and its leadership need to communicate more clearly the severity of the impact of Drupageddon to owners and administrators of Drupal 7 websites, reaching out to them using every way we know how.
Read more
San Gabriel Valley Drupal Meetup in Pasadena at the Fuller Theological Society on Thursday, October 23, 2014
We are having a special meeting in the San Gabriel Valley on the fourth Thursday on October 23, 2014.
Join us from 6-8pm at Fuller Theological Seminary, Glasser 110 on Thursday, October 23, 2014, for Drupal news and announcements, local job announcements, raffle prizes, community Q&A, lightning talks and full-length presentations.
You can join the video conference or go to https://zoom.us/join and enter meeting ID: 129 319 220
Read more
Should the Drupal Association (or someone else central) run a security bug bounty?
A conversation was started on twitter.
I have thoughts on this, but let's get the conversation rolling in a form that allows for more in-depth thoughts than 140 characters ;)
Some topics:
- Experiences running a bug bounty program (security or otherwise, paid or otherwise i.e. hall of fame counts too).
- Experiences running a program paying for some work inside a mostly volunteer community
- What do we hope to achieve with a paid security bug bounty program?
- Do we think that's a reasonable goal?
What time should security releases happen? Can we pre-release? Can we work with WAF vendors?
In an ideal world, what is the best time for a security release to happen?
Sometimes the security team doesn't have control because a project maintainer commits and makes the release node at a specific time. We can, of course, try to make it more clear that they need to commit and make releases before a specific time.
And often there is some control.
So, in our ideal world, what time would people want it to be released?
Can we do something to pre-release in different parts of the world?
Read more
Drupal 7 core security release on Wednesday, October 15 (and release window for Drupal 6)
There will be a security release of Drupal 7 core on Wednesday, October 15.
Although we normally only announce security release windows (rather than definite plans for a release), this month we are confident that a release will happen, so please be prepared to update your Drupal 7 sites on Wednesday.
Read more
Slides from Drupalcon Amsterdam 2014: Cracking Drupal
Here are the slides from the talk from klausi and pwolanin
Read moreTry to exploit Two Factor Authentication module (and maybe earn $) before we deploy TFA to drupal.org
Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual. The Two Factor Authentication module for Drupal tfa was originally built by Growing Venture Solutions, has been dramatically enhanced to work for Acquia, and is being made “drupal.org-ready” with support from CARD.com.
Read more
Web Security Training
A crash course in Web & PHP Security practices that teaches you everything you need to know to begin protecting yourself from malicious users. This 10 hour live online instructor-led class covers the top security attacks, how to detect them, how to protect yourself from them, and how to recover if you are breached. It also covers PHP specific security topics such as best practices for protecting user sessions and handling user logins & passwords.
The class at a minimum will cover the following topics, and will always be updated with any up-to-date web security vulnerabilities that emerge:
Read moreRecommended TOTP clients for TFA deployment on drupal.org
Last updated by AlexKirienko on Wed, 2015-07-22 12:40
There's an issue to deploy TFA on drupal.org:. There will be a lot of questions about how people can generate TOTP codes. Let's write up a book page to help them. Please edit this wiki page to help turn it into a resource (e.g. a book page on d.o or help text inside the module).
There are multiple free and Free options for creating TOTP codes on a smartphone or computer such as:
Phone-based solutions:
Read more
New module for developers to test for XSS vulnerabilities
I just pushed an initial commit for a module that can help module developers and site owners test for XSS vulnerabilities: https://www.drupal.org/sandbox/matthew.donadio/2319347
The module does a form alter to add two buttons to forms. The buttons will prefill inputs and textareas with simple XSS, <script>alert('XSS')</script>, for testing purposes. The actual alert message will contain the $form_id and the element name in the message.
New module to help researchers identify valid sql injection vulnerabilities
For anyone who runs a "responsible disclosure" program, you are probably used to getting reports of SQL injection that are not valid. SQL Injection can be tough for an independent researcher to validate because demonstrating it either requires a lot of time (to fingerprint the structure and get some secret) or a damaging interaction (dropping some tables?) or both.
Read moreWhen is setting 'access callback' == TRUE in a hook_menu() item OK?
hook_menu has an item argument for 'access callback' which allows people to define permissions on a router path. Normally, paths have some sort of check on them, usually user_access + a permission, but sometimes a check specific to the path (cf, the node paths).
The API also allows "naked" menu items that don't have any access check. This is done by setting the 'access callback' key to TRUE. Mistakes with this can lead to access bypass problems.
I have seen it in two instances in the wild, but I am sure there are others.
Read moreAre all Drupal 7.2x sites NON PCI compliant because of CVE-2011-2687, the node access bypass threat ?
Hi team,
Sorry if this is in the wrong place, but extensive Googling couldn't find an answer.
We've just had a PCI compliance scan done by Trustwave, which says we need to fix CVE-2011-2687,
node-access-bypass insecurity, which was fixed in Drupal 7.3. See: https://drupal.org/node/1204582.
But the last release of Drupal 7.3 was in 2011!
And Drupal.org home page says that 7.28 is the current release.
So does this mean every Drupal site in the world running the 7.2x branch
including 7.28 is not PCI compliant?
What to do when honeypot is working overtime?
Hi folks, so I have a site with honeypot installed and it is doing a great job of blocking spam. Problem is though the site is doing a lot of work to block these malicious bots and it would be nice to ban them. Blocking their IP is useless since they come from all over the place, is there anything that could be done to try and get the site less inundated with spending clicks processing fake users all the time?
Thanks,
Raz.
Read more
Extracting username and password of User 1
For example - I have built a website and given the drupal files and database to someone, to host in the server. But I am not willing to give username and password of User one. So, is it possible to hack the drupal code and database to extract the username and password of user 1?
Or, I have forgot the username and password of user 1 after creation of the website. So, is it possible to get the details of user 1?
If possible, how?
Read moreExtending support for Drupal 6?
As many of you are likely aware, there's discussion at https://drupal.org/node/2136029 on the idea of extending the life of Drupal 6.
Dries would like a "decision" from the security team's perspective and I thought it would be good to ask folks who are outside of the team, but still interested in the topic of Security.
Read more