Heine

  • Home
  • Drupal
  • About
Home

About

Mugshot of the authorThis is my personal site. Whatever I find interesting may find its way here. Comments on this site are moderated. It may take a while for them to appear.

What's with all this 'Drupal' stuff?

Drupal is a great, free (GPL v2) content management system / content management framework. I've been involved with Drupal for about seven years now.

I (co) maintained the following modules:

  • MyCaptcha - an easy to use math and image CAPTCHA implementation.
  • Comment mover - move comments to other posts, or convert comments to posts and vice versa.
  • Elements - provides a number of new form element types.
  • User badges - give roles or individual users a badge for display.
  • Comment upload - enable attachments on comments.
  • Taxonomy defaults - assign preselected or default terms to new posts.
  • Form store - provide other modules (eg Captcha) with a list of forms.
  • Form inspect - ease development using hook_form_alter by displaying form IDs and form structures.

I was the Drupal security team's technical lead from July 2006 until October 2011.

I found the following vulnerabilities in Drupal core:

  • SQL injection via Entity Reference autocomplete in Drupal 8 prerelease
  • Access bypass of token validation
  • Arbitrary PHP code execution and Information disclosure
  • Cross site scripting via Exceptions in Drupal 7 prerelease
  • Potential SQL injection weakness in Drupal 7 prerelease (2x)
  • Arbitrary code execution via comment previews
  • SQL injection via the numeric query placeholder %n
  • Reflected cross site scripting vulnerability in the Drupal 6 error handler
  • OpenID authentication bypass
  • OpenID association cross site request forgeries
  • File upload extensions not properly processed
  • BlogAPI access bypass
  • Cross site request forgeries on cachable forms
  • Cross site request forgeries of uploads
  • Translated string deletion via cross site request forgeries

I found the following vulnerabilities in contributed modules:

  • Encrypt - Weak encryption (also reported by Chad DeGroot)
  • Secure Cookie Data - Cookie tampering due to incorrect hash compare
  • Arbitrary PHP code execution via CSRF in Views UI, CTools Page manager and derived modules
  • Context - Remote code execution / Access bypass
  • Login security - Multiple vulnerabilities (DOS also reported by dstol)
  • Bakery SSO access bypass (login as any user).
  • CKeditor and FCKEditor arbitrary PHP code execution and XSS
  • Drupad cross site request forgeries
  • Live preview cross site request forgeries (possible arbitrary code execution)
  • Private upload access bypass
  • Droptor SQL injection
  • Database administration cross site request forgeries
  • Aggregation vulnerabilities
  • Project & project issue file handling

Contact

I only provide free Drupal support on the Drupal.org forum or in the drupal channels on irc.freenode.net.

IRC Heine in #drupal on irc.freenode.net

Recent posts

  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
  • Solving getting bogus dates via MSSQL_QUERY
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @Ustima

Copyright © 2016 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About