You are here

Home

Articles

Your Drupal site pretending to be another?

Submitted by Greg Knaddison on Fri, 02/24/2012 - 18:32

Drupal 7 added a new feature into core that is not user facing directly, but is sometimes called poor man's cron. The feature triggers the periodic tasks of a Drupal site like emptying log files, sending e-mails, and clearing out caches. This feature, when combined with dynamic detection of the "base url" (added in Drupal 4.7), can lead to some screw situations.

Best practices for Drupal permissions

Submitted by Greg Knaddison on Tue, 01/10/2012 - 12:28

Drupal has a rich and extensible role and permissions system. I've heard complaints from "everyday site builders" that there are too many permissions and from large government organizations that the permissions aren't granular enough, so you know we're doing something right. But there are some common mistakes and associated best practices to consider when working with the system.

The dangers of 3rd party libraries in Drupal sites

Submitted by Greg Knaddison on Mon, 12/26/2011 - 17:09

Many many Drupal modules leverage third party code. Examples include plupload, ckeditor. Those libraries include a lot of their own code, either as examples of how to work with their code or for integration with other applications.

I chose those specific examples because they include XSS vulnerabilities.

Introduction to Cross Site Request Forgery (CSRF)

Submitted by Greg Knaddison on Mon, 12/26/2011 - 16:15

Cross Site Request Forgeries are a relatively common problem in web applications. Especially applications that involve Javascript/Ajax are more likely to be vulnerable to CSRF vulnerabilities.

List of Security Compliance/Regulations standards by Industry

Submitted by Greg Knaddison on Mon, 12/26/2011 - 16:06

There are basically two reasons to think about security in your website: because you feel it's important and because of industry regulations that force you to think about it. The following list, broken down by industry and site-type show which kinds of security issues and regulations you should consider when planning your site.

Drupal Solutions to Mime Type Detection XSS

Submitted by Greg Knaddison on Wed, 11/16/2011 - 22:05

This article presents an overview of two methods to solve a cross site scripting problem that affects older versions of Safari and Internet Explorer versions 8 and below (to varying degrees). If you are unfamiliar with XSS or how bad it is, please first read Introduction to Cross Site Scripting (XSS) and Drupal.

Introduction to Cross Site Scripting (XSS) and Drupal

Submitted by Greg Knaddison on Wed, 11/16/2011 - 13:15

This article provides an introduction to Cross Site Scripting in Drupal.

Drupal XSS Example: Change user's password

Submitted by Greg Knaddison on Tue, 11/15/2011 - 17:09

Below is a version of the code originally by Heine Deelstra, and updated for Cracking Drupal and now below updated to Drupal 7.

Hiding the fact your site runs Drupal OR Fingerprinting a Drupal Site

Submitted by Greg Knaddison on Thu, 11/03/2011 - 12:58

I often see questions about how someone can "hide the fact that their site runs Drupal" or "remove the meta Generator header." People often want to do this because they feel it will make their site more secure: if the attacker doesn't know I'm running Drupal then they will have one less piece of data about what attack methods might work. People say that an automated attack script that detects Drupal sites might not find me and therefore might not attack me.

What are Full Disclosure and Responsible Disclosure

Submitted by Greg Knaddison on Wed, 11/02/2011 - 15:02

A debate has been going back basically as long as software: for security bugs is it better to follow Full Disclosure or Responsible Disclosure?

A great article on the topic comes form Bruce Schenier's Crypto-Gram way back in 2001.

Pages

Drupal Scout is part of Acquia.

Acquia logo

Contact Acquia if you are interested in a Security Audit of your site.