Heine

To get Clean URLs working on IIS 7, install the new URL rewriter module (x86, x64) and add the following to the system.webServer section of the sites' web.config:

Update September 24, 2008 - Added a link to CVE-2008-3661 and "Fun Snags with Drupal Cookies"

Security theater consists of security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.

A quite popular activity among Drupal site owners and extension developers (drupal, firefox) is to make sure certain page requests happen over a secure HTTPS connection, whereas the majority of requests is still done over an unencrypted HTTP connection. User logins are typically the target of this effort.

Now, unless your really value your password (because you happen to be Ben Bernanke and use the same password for the documents holding the future interest rate), this is only going to give you a false sense of security. I know, it is still a very warm and comfy feeling, but it won't be so comforting when some clown sees Mike Perry's presentation and takes away your site.

Every year Drupal tends to end up in a few Top 10s, making us happy and proud. The latest Top 10 we appear in is not something to gloat over however: The Top 10 vendors with the Most Vulnerability Disclosures (source: X-Force 2008 Mid-Year Trend Statistics). We are number 8, just after Cisco (7) and just before Wordpress (9) with being responsible for 1.2% of all tracked disclosures.

It is surely not my intend to discuss each and every security announcement, but the recent Live announcement (SA-2008-021) deserves to get some attention as this particular drupal_access_denied &

In a desperate attempt to balance my karma at the end of the year, a small public service post about the most popular way to make your site insecure. This is aimed at website administrators and developers. There will be no code (promise).

A code construct that surprisingly survived for a long time since the initial 4.7 release is still haunting us. I'm talking about the use of confirmation forms, limping behind the times, ever since the rise of the glorious Form API (ahem). Let's see to it that this coelocanthian code becomes extinct in the next few months.

Though it's not so much the confirmation forms, as it is the way confirm_form is used: