RDKsoftware and web development

According to a report published in the "Network World", the biggest vectors for web hacking in 2009 were social networks, SQL injection, cross-site-scripting, authentication abuse, and cross-domain-request-forgery.

The concern about social networks is something I've written about before. I use twitter to announce my money making projects, linked-in to outline my professional achievements, and face-book to socialize with others. However; I do not tweet my intimate thoughts, put a detailed resume on linked-in, or reveal anything too personal on my FB wall.

In January there was a big attack against Google that apparently used a flaw in Internet Explorer which got the name "aurora".

This time the focus is on the Ajax Session module which should be removed from all Drupal installations.

If anybody noticed, I'm not writing regular updates about Drupal security like I did last year. If you keep your installed core, modules, and themes up to date then 90% of my 2008 posts will be redundant. Now I'm just writing about issues that go beyond keeping things up to date. For example; modules that should be avoided. Programming practices that can be dangerous.

I've been fastinated for years with paintings or prints that confuse the eye. But I always assumed that for this to work correctly, the image must be analog. Today's higher resolution seems to have altered that.

Here is a series of flash animations that shows different ways that what is percieved by the eye can be affected by its neighbors.

http://web.mit.edu/persci/gaz/gaz-teaching/index.html

In early 2000's a hacker that goes by the pseudonym "Rain Forest Puppy" (RFP) broke into the bulletin board system for the security advisory group PacketStorm. He got administrative rights and stole about 800 passwords. There is a lot that the Drupal community can learn from RFP's attack.

SA-2008-072
The storm project allows users with access to the storm project to enter data that has not been properly sanitized.

Versions Affected

• Drupal 5; anything prior to 5.x-1.14
• Drupal 6; anything prior to 6.x-1.18

SA-2008-073
There is a CSRF int the Drupal core which may allow someone to rerun old updates which will impact the database.
Also note that the robots.txt and .htaccess files have changed and need to be replaced with the new kernel.

SA-2008-070 - COMMENT MAIL
There is a CSRF (cross-site-request-forgery) in Comment Mail for Drupal 5.x prior to 5.x-1.1 that allows end-users to administer permissions and ban IP addresses, deny a comment, or approve one.

October 2008 has not been a kind month for Drupal. In addition to a 3rd party module needing to be updated, there have been modules banned because of multiple vulnerabilities, many problems with people updating modules wrong in Drupal 6, and several problems with the core that requires the Drupal core to be updated itself.

I am having problems with Roles and Permissions. There is a node that can be edited when the user has one role, but not when a role with the same permissions is used.