Zerodayscan and Drupal: finding bugs for fame

If you use Drupal or are considering using Zerodayscan, please read Heine Deelstra's post about Zerodayscan.

As a Drupal user you should feel confident that Drupal's belief in "secure by default" doesn't override the goal of creating easy to use sites by default. It is often a balance between the two and in this case Drupal is choosing to be more usable rather than more secure.

Creating a sanitized Drupal database dump

People often want to create a backup copy of their site database and give it to someone else to create an environment similar to the live environment for testing or development. However, doing so exposes all of your site data being leaked if that backup copy is ever placed on a CD that gets lost or a harddrive which is not destroyed at the end of its life or a laptop which is stolen.

Free resources online for protecting your Drupal site

There are lots of great resources online about how to secure your Drupal site. The site is meant to be one of those resources, but there are also others available elsewhere. Here are some of the best resources available from around the internet with Drupal specific security information. Handbooks

The handbooks are probably the most natural place to look and in fact they have three great areas of resources.

Protecting your Drupal module against Cross Site Request Forgeries

Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is.

Techniques in Attacking and Defending XML/Web Services

Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.

Review of the problems with XML/Web services

Still have all the normal problems.

  • Firewalls are not aware of the xml content
  • Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.
  • WSDL exposes the schema and message structure
  • Injection attacks are possible via the XML parameters
  • Data replay is still possible
  • Denial of service is still possible, especially with parameters
Syndicate content