Heine

  • Home
  • Drupal
  • About
Home

Planet Drupal

Security theater #1 - Using SSL for login

Heine —Fri, 2008/08/22 - 17:56

Update September 24, 2008 - Added a link to CVE-2008-3661 and "Fun Snags with Drupal Cookies"

Security theater consists of security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.

A quite popular activity among Drupal site owners and extension developers (drupal, firefox) is to make sure certain page requests happen over a secure HTTPS connection, whereas the majority of requests is still done over an unencrypted HTTP connection. User logins are typically the target of this effort.

Now, unless your really value your password (because you happen to be Ben Bernanke and use the same password for the documents holding the future interest rate), this is only going to give you a false sense of security. I know, it is still a very warm and comfy feeling, but it won't be so comforting when some clown sees Mike Perry's presentation and takes away your site.

  • Drupal
  • Security
  • Planet Drupal
  • Read more about Security theater #1 - Using SSL for login
  • 1 comment

# 8 on the Vendors with Most Vulnerability Disclosures list

Heine —Tue, 2008/07/29 - 17:45

Every year Drupal tends to end up in a few Top 10s, making us happy and proud. The latest Top 10 we appear in is not something to gloat over however: The Top 10 vendors with the Most Vulnerability Disclosures (source: X-Force 2008 Mid-Year Trend Statistics). We are number 8, just after Cisco (7) and just before Wordpress (9) with being responsible for 1.2% of all tracked disclosures.

  • Drupal
  • Security
  • Planet Drupal
  • Read more about # 8 on the Vendors with Most Vulnerability Disclosures list
  • 13 comments

Access denied - Are you sure?

Heine —Fri, 2008/03/21 - 05:23

It is surely not my intend to discuss each and every security announcement, but the recent Live announcement (SA-2008-021) deserves to get some attention as this particular drupal_access_denied &

  • Drupal
  • Security
  • Planet Drupal
  • Pitfalls
  • Read more about Access denied - Are you sure?
  • 6 comments

Input formats - the quickest way to make your site insecure

Heine —Sun, 2007/12/30 - 23:15

In a desperate attempt to balance my karma at the end of the year, a small public service post about the most popular way to make your site insecure. This is aimed at website administrators and developers. There will be no code (promise).

  • Drupal
  • Security
  • Planet Drupal
  • Input Format
  • Read more about Input formats - the quickest way to make your site insecure
  • 14 comments

Security: A $_POST from the past

Heine —Mon, 2007/12/03 - 10:16

A code construct that surprisingly survived for a long time since the initial 4.7 release is still haunting us. I'm talking about the use of confirmation forms, limping behind the times, ever since the rise of the glorious Form API (ahem). Let's see to it that this coelocanthian code becomes extinct in the next few months.

Though it's not so much the confirmation forms, as it is the way confirm_form is used:

  • Drupal
  • Security
  • Planet Drupal
  • Read more about Security: A $_POST from the past

Six tips to get help with your code

Heine —Mon, 2007/11/19 - 07:10

Six tips for getting help with your code, because efficient use of volunteer time is key in getting good and timely support. While this is somewhat geared towards Drupal support on the Drupal.org forum and in the #drupal IRC channel, the tips apply to nearly all code you need help with.

  1. Post code.
  2. State the goal and the problem.
  3. Post actual code.
  4. Make it short, make it matter.
  5. Make it complete.
  6. Make it readable.
  • Drupal
  • Planet Drupal
  • Support
  • Read more about Six tips to get help with your code

Keeping an eye on Drupal core

Heine —Mon, 2007/07/30 - 00:56

To more efficiently review code changes in Drupal I've decided to write a little bot that regularly reads the RSS feed of Drupal core commits. It then downloads the referenced patches and creates new content on this site (example) under the category Drupal Core.

As this is a taxonomy term, it comes with the Drupal benefit (tm) of an RSS feed, I now use to quickly review commits to core.

  • Drupal
  • Planet Drupal
  • Read more about Keeping an eye on Drupal core
  • 1 comment

IN (%s); a security vulnerability waiting to happen

Heine —Tue, 2007/06/19 - 00:14

I've written before about (ab)using %s in IN clauses such as:

  • Drupal
  • Security
  • Planet Drupal
  • Read more about IN (%s); a security vulnerability waiting to happen
  • 1 comment

Do a quick security review when porting your module

Heine —Thu, 2007/02/22 - 08:48

Adapted from a mail I sent to the Drupal development list.

Porting a module is an excellent opportunity to keep an eye out for security problems (evidence: DRUPAL-SA-2006-031). Here's a quick security reminder regarding input (user-supplied data). Code samples are only included to make a point, do not hold them against me.

  • Drupal
  • Security
  • Planet Drupal
  • Read more about Do a quick security review when porting your module

Gain administrator privileges via an XSS vulnerability in Recipe

Heine —Tue, 2007/02/20 - 22:53

For those with the tendency to downplay cross site scripting (XSS) vulnerabilities, a small videocast on how a vulnerability in the contributed module Recipe can get an attacker administrator access to a Drupal site. The vulnerability was fixed with DRUPAL-SA-2006-014 a long time ago, so I feel it's safe to publish the video now.

» Videocast.

  • Drupal
  • Security
  • Planet Drupal
  • bug2exploit
  • Read more about Gain administrator privileges via an XSS vulnerability in Recipe

Pages

  • « first
  • ‹ previous
  • 1
  • 2
  • 3
Subscribe to Planet Drupal

Recent posts

  • Teampassword manager's password generator is biased
  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About