Security
IN (%s); a security vulnerability waiting to happen
Heine —Tue, 2007/06/19 - 00:14
I've written before about (ab)using %s in IN clauses such as:
Do a quick security review when porting your module
Heine —Thu, 2007/02/22 - 08:48
Adapted from a mail I sent to the Drupal development list.
Porting a module is an excellent opportunity to keep an eye out for security problems (evidence: DRUPAL-SA-2006-031). Here's a quick security reminder regarding input (user-supplied data). Code samples are only included to make a point, do not hold them against me.
Gain administrator privileges via an XSS vulnerability in Recipe
Heine —Tue, 2007/02/20 - 22:53
For those with the tendency to downplay cross site scripting (XSS) vulnerabilities, a small videocast on how a vulnerability in the contributed module Recipe can get an attacker administrator access to a Drupal site. The vulnerability was fixed with DRUPAL-SA-2006-014 a long time ago, so I feel it's safe to publish the video now.
» Videocast.
