Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Two-factor authentication in Drupal and on drupal.org?
Hello,
Many of you are probably interested in multi-factor authenticaiton solutions for your own site or for drupal.org.
There's been a comparison of modules available for a while, but I think now that the combination of tfa and tfa_basic makes a really compelling combination.
There's also an issue about deploying two-factor auth on drupal.org.
Read moreTake the security team tools survey
Hi everyone,
The Drupal Security Team is updating its security issue reporting tools to Drupal 7. We also need your help to improve our reporting workflow and make it easy to report and track security issues.
Please take our survey: Please help us out by taking our survey. http://ow.ly/uqAHz .
This survey should take between 5 and 10 minutes to complete. It is on 2 pages.
Read moreInterested in analysing past security vulnerabilities by type
I have read the Drupal security white paper v1.2 which contains some insightful analysis of historical security vulnerabilities by type over the last 6 years.
I would be interesting in generating my own analysis of Drupal security vulnerabilities by type over the last 12 months.
Can someone point me at a good source of data in a format that is reasonable easy to analyse?
Thanks for your help!
Read morePut "Site off-line" would this be safe for getting hacked?
All my domains were earlier hacked which I describe in this post https://drupal.org/node/2153055.
I have now uploaded one OLD site but without hacked files and need to update this but not just now - maybe a stupid question but taken the site off-line will it then be impossible for hackers to attack this site because they can't see it's and old version and other info which hackers go for?
Edited 10:25: And is it also safe to use Devel module online when the site is put off-line?
Read morenode/add - what's the deal?
Hi to all,
I have a site that is constantly being probed with node/add (request denied). Registration requires email verification and includes a CAPTCHA. These node/add requests come from both registered and unregistered users. There are at least 20 new registrations a day (I keep blocking their IP addresses) and just as many or more probes. It's been going on for a month now. Can anyone explain to me the logic and intentions behind this?
Thanks
Read moreExplaining to Client Vulnerability of a Form Not Protected by https/SSL
Hi Folks,
I want to accurately describe to a client the vulnerability of a form collecting data over http.
I understand that over unprotected wifi a person could "listen" and grab data passing from someone submitting info to the form.
What I don't know is how hard it is for someone to "sit" on a particular form and collect data being submitted to the form from people who do share a network connection with the person trying to steal the information.
Thanks,
Shai
Read moreResponse to CVE-2014-1607: a purported XSS vulnerability in Event Calendar
CVE-2014-1607 Claims to be a vulnerability in Drupal 7.14 and probably newer versions.
We were unable to reproduce the issue on a fresh Drupal 7.x-dev installation with Event Calendar 7.x-1.4, the latest release.
Read moreHosted WAF Solutions Specific to Drupal
Are there any hosted WAF (Web Application Firewall) solutions available that work best with Drupal? The site we have in mind for use in this scenario is a simple content-driven site.
Read moreQSA company recommendations to provide PCI compliance auditing services
Hello,
I'm looking to see if anyone has any recommendations for qualified security assessor companies to perform a PCI audit for a hosting infrastructure and Drupal application. The PCI security council lists 321 such companies so I'd like to narrow it down to a few that folks have had a good experience with so I can get some quotes.
Thanks in advance.
Phillip
Read moreDrupal SA on uncontrolled PHP execution
There's the Drupal core security advisory just released that talks about the uncontrolled PHP execution. here's some remarks.
-
If you're using the config available on the Nginx wiki you're vulnerable.
That config has a catch all location
location ~ \.php$ {...}
for handling
PHP script execution. -
If you're using any of the configs recommended on the [Nginx group] (https://groups.drupal.org/nginx) you're safe.
Building a Collaborative Best Practice Security Document
We recently wrote a security best practices document for a government client. We wanted to distribute this more widely because security is a complex issue, that so many organizations seem to get wrong. In government this is often because they are working in isolation and haven't been able to keep up with the rapid changes in IT security.
Read moreFake users still appearing even after captcha and patching
Hi there,
Wondering what else I should check on my site.
D6 site, all latest security patches. Have captcha module enabled.
Cleaned out the site of dummy users but I am still getting them to appear on the site. Along with fake comments.
Both user registration and posting comments requires a captcha image verification, but somehow they are still appearing.
What other security methods should I be looking at, or other forms of vulnerabilities that I need to check, to see why they are still being made?
Read moreMp3Player Module resurrection.
Team
I am trying to get the mp3 player module back from the dead. I've been working with @greggles to address some issues and he recommended I post here to get a module review so I can a) gain maintainer status and b) bring the module back to life. To address the security concerns I have done a few things
1) I have moved the external swf to the libraries folder so it's not part of the module and can be updated outside of the module.
2) Filtered the themed output so adding malicious scripts in the input fail
3) Filtered form input for further protection.
Which version of PHP are you running Drupal on today? (Summer 2013)
Strange message on update script, possible hack
Forgive if this is the wrong place to ask this question, but I am trying to determine what is wrong with a site I maintain.
When attempting to run an update script, I got this message:
Read moreUsing a Drupal 6 instance as an application
HI
Read moreLong Term Support (LTS) BoF at DrupalCon Portland
Exaltation of Larks is hosting a BoF (birds of a feather) discussion on long-term Drupal support (particularly for Drupal 6 sites when Drupal 8 comes out and bug fixes and security releases for Drupal 6 are discontinued).
Long Term Support is a topic that is near and dear to us and a number of our clients and this BoF is a followup to our earlier post, Drupal 6 End of Life When Drupal 8 is Released… Or Not.
We're also preparing an "LTS" version of Drupal 6 and have a lot more planned. Stay tuned to the DrupalCon BoF schedule and @LarksLA on Twitter for news of when this BoF gets scheduled.
Read moreCollaboration between Symfony security team and Drupal security team
This topic has come up in the past at some events, within the security team and on drupal.org. Symfony project founder Fabien Potencier posted a proposal for dealing with downstream projects (such as Drupal) at
https://github.com/symfony/symfony-docs/pull/2639/files
This agreement will have an impact on how efficiently and how quickly the Drupal security team can work with the Symfony security team to coordinate security releases in a timely manner. Let's discuss this on github so Symfony and the other projects can be kept in the loop.
Read moreWhat should we do with Linux/Cdorked.A malware?
I've seen this post today:
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-a...
It looks like something went terrible.
What should we do with our servers and Drupal installations?
Read moreDrupalCon Security Training - Web security risks, discovery and remediation
As part of DrupalCon Portland, join Ben Jeavons, Cash Williams and David Stoline from Acquia for a full-day, hands-on training about all things Drupal and security.
What you will learn
<
ul>