You are here

Home

Articles

Storing Private Information Securely in Drupal

Submitted by Greg Knaddison on Wed, 08/29/2012 - 17:42

Drupal sites periodically need to save private information. Some examples include a secret key used for communicating with a remote service (like an API key for a payment gateway) or private information for each user on the site.

Stay Aware of Drupal Security Updates - the easy way

Submitted by Greg Knaddison on Thu, 08/09/2012 - 13:14

When dealing with any internet connected software, staying on top of updates is a big responsibility. It is critical to the security of your site and yet can take a lot of time. The traditional advice about updates is "subscribe to the updates mailing list" and that works pretty well for most projects. For broad software projects like Drupal, however, that advice is increasingly unmanageable.

Your Drupal site pretending to be another?

Submitted by Greg Knaddison on Fri, 02/24/2012 - 18:32

Drupal 7 added a new feature into core that is not user facing directly, but is sometimes called poor man's cron. The feature triggers the periodic tasks of a Drupal site like emptying log files, sending e-mails, and clearing out caches. This feature, when combined with dynamic detection of the "base url" (added in Drupal 4.7), can lead to some screw situations.

Best practices for Drupal permissions

Submitted by Greg Knaddison on Tue, 01/10/2012 - 12:28

Drupal has a rich and extensible role and permissions system. I've heard complaints from "everyday site builders" that there are too many permissions and from large government organizations that the permissions aren't granular enough, so you know we're doing something right. But there are some common mistakes and associated best practices to consider when working with the system.

The dangers of 3rd party libraries in Drupal sites

Submitted by Greg Knaddison on Mon, 12/26/2011 - 17:09

Many many Drupal modules leverage third party code. Examples include plupload, ckeditor. Those libraries include a lot of their own code, either as examples of how to work with their code or for integration with other applications.

I chose those specific examples because they include XSS vulnerabilities.

Introduction to Cross Site Request Forgery (CSRF)

Submitted by Greg Knaddison on Mon, 12/26/2011 - 16:15

Cross Site Request Forgeries are a relatively common problem in web applications. Especially applications that involve Javascript/Ajax are more likely to be vulnerable to CSRF vulnerabilities.

List of Security Compliance/Regulations standards by Industry

Submitted by Greg Knaddison on Mon, 12/26/2011 - 16:06

There are basically two reasons to think about security in your website: because you feel it's important and because of industry regulations that force you to think about it. The following list, broken down by industry and site-type show which kinds of security issues and regulations you should consider when planning your site.

Drupal Solutions to Mime Type Detection XSS

Submitted by Greg Knaddison on Wed, 11/16/2011 - 22:05

This article presents an overview of two methods to solve a cross site scripting problem that affects older versions of Safari and Internet Explorer versions 8 and below (to varying degrees). If you are unfamiliar with XSS or how bad it is, please first read Introduction to Cross Site Scripting (XSS) and Drupal.

Introduction to Cross Site Scripting (XSS) and Drupal

Submitted by Greg Knaddison on Wed, 11/16/2011 - 13:15

This article provides an introduction to Cross Site Scripting in Drupal.

Drupal XSS Example: Change user's password

Submitted by Greg Knaddison on Tue, 11/15/2011 - 17:09

Below is a version of the code originally by Heine Deelstra, and updated for Cracking Drupal and now below updated to Drupal 7.

Pages

Drupal Scout is part of Acquia.

Acquia logo

Contact Acquia if you are interested in a Security Audit of your site.