Home

drupal

Drupal security watch, 2008

Thu, 10/09/2008 - 20:19 — Dave Keays

This list keeps track of recent security measures in Drupal. The information is distilled from Security Announcements.

Drupal security - Ajax Sessions module

Fri, 05/29/2009 - 21:01 — Dave Keays

This time the focus is on the Ajax Session module which should be removed from all Drupal installations.

If anybody noticed, I'm not writing regular updates about Drupal security like I did last year. If you keep your installed core, modules, and themes up to date then 90% of my 2008 posts will be redundant. Now I'm just writing about issues that go beyond keeping things up to date. For example; modules that should be avoided. Programming practices that can be dangerous.

Drupal gets lessons from Rain Forest Puppy

Sun, 04/12/2009 - 14:37 — Dave Keays

In early 2000's a hacker that goes by the pseudonym "Rain Forest Puppy" (RFP) broke into the bulletin board system for the security advisory group PacketStorm. He got administrative rights and stole about 800 passwords. There is a lot that the Drupal community can learn from RFP's attack.

Drupal Security Announcements, December 2008

Wed, 12/03/2008 - 21:52 — Dave Keays

SA-2008-072
The storm project allows users with access to the storm project to enter data that has not been properly sanitized.

Versions Affected

  • Drupal 5; anything prior to 5.x-1.14
  • Drupal 6; anything prior to 6.x-1.18

SA-2008-073
There is a CSRF int the Drupal core which may allow someone to rerun old updates which will impact the database.
Also note that the robots.txt and .htaccess files have changed and need to be replaced with the new kernel.

Security Announcements for November 2008

Thu, 11/27/2008 - 03:32 — Dave Keays
  • SA-2008-071 - USER KARMA
    There is an SQL injection and a CSS (cross-site-scripting) prior to 5.x-1.13 and 6.x-1.0 that could give a user control over an SQL database and user cookies.

    • SA-2008-070 - COMMENT MAIL
    There is a CSRF (cross-site-request-forgery) in Comment Mail for Drupal 5.x prior to 5.x-1.1 that allows end-users to administer permissions and ban IP addresses, deny a comment, or approve one.

    Security Announcements for October 2008

    Thu, 10/09/2008 - 19:28 — Dave Keays

    October 2008 has not been a kind month for Drupal. In addition to a 3rd party module needing to be updated, there have been modules banned because of multiple vulnerabilities, many problems with people updating modules wrong in Drupal 6, and several problems with the core that requires the Drupal core to be updated itself.

    Drupal SA's for September 2008

    Wed, 09/24/2008 - 06:02 — Dave Keays

    There have been 5 Drupal security announcements for September 2008 about 3rd party modules with Cross-Site-Scripting vulnerabilities in them.

    injection defense in Drupal

    Wed, 07/02/2008 - 02:45 — Dave Keays

    Drupal CSS security

    In May 2008, ubercart 1.0 was released and security vulnerabilities were patched. With 80% of all attacks today involving injection attacks like XSS and SQL injection we developers need to learn how to handle them. I put together this summary of the fixes and a cheat sheet of ways to cleanse data.

    Syndicate content