Bounties: What to do with a high impact Drupal vulnerability?
Heine Mon, 2012/06/11 - 10:31
The security landscape is changing. There's been on and off talk about bounties for security vulnerabilities and some firms already buy vulnerabilities (SecuriTeam, ZDI). This also causes me to re-evaluate the value of a vulnerability.
Suppose I've recently found an arbitrary code execution vulnerability that could very likely be exploited on a large fraction of 400K+ Drupal sites.
What do you think I should do with it?
For the comments: What's your opinion on a security vulnerability bounty program?
Update: I've reported the vulnerability via SecuriTeam. It has been fixed with the release of Drupal 7.16. See SA-CORE-2012-003 for details.
Homeopathie & Influenza tijdens pandemie 1918 - Opinie Feb 2012 Arts & Auto
Heine Sat, 2012/02/25 - 21:12
De Opinie in de Arts & Auto (Feb 2012) —een uitgave van de Vereniging voor Arts, Kwakzalver & Auto (VvAA)— verwijst naar een publicatie van Dewey over het homeopatisch behandelen van Influenza in 1918.
Na enig speurwerk heb ik een kopie gevonden en bijgevoegd voor geïnteresseerden.
In doubt? Read the specs!
Heine Tue, 2011/03/29 - 23:54
Specifications should be a major part of the foundation we built on. Unfortunately, we're a bit loose with our adherence to specs. (Writer is guilty too).
While this was written before, I've decided to use it as a short illustration to #1109854 - Overly aggressive transliteration in drupal_clean_css_identifier on the difference between HTML and CSS with regards to 'allowed' characters.
Best to skip if you don't care about specifications ;)
About the Webform SA
Heine Mon, 2011/01/10 - 17:14
Today we released a security announcement about a Webform SQL Injection vulnerability outside of the normal release schedule on Wednesday.
I chose to release today with a minimal fix instead of waiting until January 12th for a combination of reasons:
- The vulnerability was made public.
- The injection requires no permissions at all.
- High impact; easy uid 1 access.
- No other user interaction required.
- Webform was under high scrutiny last week due to the Geenstijl shockblog.
- We received news today that the hole was being actively exploited.
This combination could turn out to be very damaging for a lot of Drupal sites should we have waited longer.
Versions
To clear up any confusion regarding the affected supported branches; only Webform 6.x-3.x is affected. Users of Webform 6.x.3.x should upgrade to Webform 6.x-3.5.
The Webform 6.x-2.x versions are not affected by this vulnerability. As long as you use 6.x-2.8, 6.x-2.9 or 6.x-2.10 you're good. Older versions of the Webform 6.x-2.x branch have different vulnerabilities that were already announced.
Webform for Drupal 5.x and the 7.x betas are not supported by the security team.
Unserializing user-supplied data, a bad idea
Heine Wed, 2010/08/25 - 20:59
Apart from PHP bugs and Denial of Service attacks, there's another reason why calling unserialize on user-supplied data (cookies, hidden form fields) is a bad idea.
