Topics related to site security.
0
votes
1answer
18 views
Does securelogin module needs to have a certificate?
securelogin seems to be a must to protect against spying login/password.
However it is not clear (to me) whether it requires a SSL Certificate.
I couldn't find this info neither in its module page ...
1
vote
3answers
194 views
PHP in database: bad practice but
Lots of times here I've been told that using views custom php fields, filters or others is a bad practice, because putting php in the sql is dangerous.
My question is, if you only call to a function, ...
1
vote
2answers
38 views
Insecure fmath editor
fmath is an extremely powerful plug-in library for wysiwyg editors.
It provides an editor for mathematical formulas, which generates images that can be used in drupal sites. It processes mathml and ...
0
votes
1answer
17 views
Search engines tries to access node editing links
In my dblog occassionally I am seeing query coming probably from search engines for links as
http://mydomain.com/node/13130/delete?destination=node
I wonder how possibly search engine got idea to ...
0
votes
0answers
82 views
Access denied for image urls created via image style although derivative token is appended?
I want to apply an image style to an image and use it via CSS:
if (isset($node->field_images_image['und'][0]['filename'])) $vars['blurred_background'] = image_style_url('background_blurred', ...
0
votes
0answers
39 views
D7 Organic groups and securing private files
I'm looking for a current solution for private file protection in D7 (so files uploaded without a node can be hidden from unauthorized users). I saw this question, organic groups and private files, ...
1
vote
1answer
36 views
prompt in IE8 for secure pages produces altered layout
My Drupal 7 website looks fine in most browsers, but in IE8 I am getting the prompt:
"Do you want to view only the webpage content that was delivered securely? This webpage contains content ...
0
votes
1answer
16 views
Conditional based field security
Is there any condition based field security in Drupal? E.g. An administrator can only edit user details users who are from the same Country?
2
votes
2answers
97 views
HTTP Basic auth on specific Drupal paths?
I want to use HTTP Basic authentication on a group of paths in my Drupal site (e.g. /folder/*). The paths are all menu callbacks that don't have actual page content.
I tried to use Secure Site but I ...
0
votes
2answers
158 views
Drupal Commons 3 and Original Drupal Core Updates
I'm may be planning to switch over to Drupal Commons 3. My question is... When the original Drupal core gets security updates, will I be able to get those updates in the Drupal Commons or do I have to ...
2
votes
1answer
42 views
Overriding default hashing mechanism: cannot redeclare user_hash_password()
I have a project that requires a change in the default password encryption mechanism.
The documentation of password.inc states that this can be overridden using the password_inc variable. I followed ...
0
votes
2answers
120 views
how can I change the admin url?
Is it possible to have the administration pages on a different place than /admin?
so something like: www.mysite.com/someotheradminlocation
I don't want the admin location to be guessable by hackers.
...
0
votes
1answer
76 views
Is it a great idea to upload php instead of writing phps in drupal interface
At each time I write PHP code in blocks and views, I always think about this question : "What are the downsides of using 'custom' PHP code in blocks, nodes, views-args, etc?".
Is it a great idea to ...
3
votes
1answer
38 views
Are there any security concerns with getting the UID by simply querying the sessions table against the visitor's cookie?
In the High Performance JavaScript Callback Handler I'm attempting to use my own code to get the current user's ID.
To give a quick rundown, by returning data at a much lower bootstrap level ...
0
votes
1answer
54 views
Security Review - Untrusted users are allowed to input dangerous HTML tags
I am getting the following error in my security review:
Untrusted users are allowed to input dangerous HTML tags.
Is this because in my text formats I've got the following:
Plain text All roles may ...
