Topics related to site security.
0
votes
0answers
11 views
Configure CentOS for Drupal 7 on VPS
Due to requirements, I'm having to upgrade to VPS hosting. However, in the past I've always used shared hosting and I have little experience with Linux. When I make the move, I'll be presented with ...
3
votes
1answer
71 views
Spambots causing server crashes. How do I block them?
I have a Drupal 7 website on a shared hosting account that uses an Apache server. It is getting continuously battered by spam bots who try to post junk comments and create fake accounts. What methods ...
3
votes
1answer
57 views
un-escaped _server variable in settings.php - bad idea right?
I recently started working for a new company hosting drupal sites that is using a switch statement within the settings.php for multiple environments. I am accustomed to using multi-site and am ...
1
vote
1answer
23 views
Security issues after authenticated user has been logged out
I have a profile information page that is being displayed for an authenticated users. But after I log-out as that specific user,and then i click the back button of the browser,I could find the ...
0
votes
2answers
59 views
Webform + reCaptcha - still lot of SPAM
Few months ago I installed reCaptcha module to use with webform. It worked perfectly: I can't submit form if I didn't provide correct captcha code. It worked even if I disable JavaScript. Problem is ...
0
votes
1answer
22 views
drupal 7 remove logon & password for anonymouse users
I have a username and password for my site for development purposes and now want to take the site live and remove the username and password for anonymous users. How do I do that?
4
votes
2answers
92 views
Is theme_pager() vulnerable to HTTP Parameter Pollution?
I'm currently running vulnerability scans against my application, which is based on Drupal. One "High" vulnerability is HTTP Parameter Pollution (HPP), and it has to do with pages that make use of ...
1
vote
0answers
28 views
Captcha on login form using the form block module
I am providing the registration form using the form block module. I also have Captcha and Hidden Captcha module enabled on mysite. However i am not getting the option to add a captcha to the ...
2
votes
1answer
52 views
Best practices for protecting from injection on form fields
I am building a form in Drupal 7. I have a textarea field and would like to know if it is safe to get the field content ($form['values']['field_name']) and save it to the database using something like ...
1
vote
1answer
32 views
Authenticate against a Drupal Instance
Is it possible for an application (e.g. a Java Web app) to authenticate against the Drupal users table? I know they use an SHA512 encryption, but I am wondering if there is any way to expose this ...
2
votes
1answer
83 views
why some PDOException errors are displayed in details on users screen and some other not
A user reported to me seeing the following error on his screen:
The watchdog entry for this error looks like this:
PDOException: SQLSTATE[HY000]: General error: 1205 Lock wait timeout exceeded; try ...
1
vote
1answer
96 views
Files security - files folder hacked
For the second time in a short while my files/ folder has been hacked. Permissions are set as 755 all accross the folder.
I tried to set it up as 750, 754 but it breaks the website.
What happens is ...
0
votes
1answer
20 views
Does securelogin module needs to have a certificate?
securelogin seems to be a must to protect against spying login/password.
However it is not clear (to me) whether it requires a SSL Certificate.
I couldn't find this info neither in its module page ...
1
vote
3answers
222 views
PHP in database: bad practice but
Lots of times here I've been told that using views custom php fields, filters or others is a bad practice, because putting php in the sql is dangerous.
My question is, if you only call to a function, ...
1
vote
2answers
43 views
Insecure fmath editor
fmath is an extremely powerful plug-in library for wysiwyg editors.
It provides an editor for mathematical formulas, which generates images that can be used in drupal sites. It processes mathml and ...
0
votes
1answer
21 views
Search engines tries to access node editing links
In my dblog occassionally I am seeing query coming probably from search engines for links as
http://mydomain.com/node/13130/delete?destination=node
I wonder how possibly search engine got idea to ...
0
votes
0answers
182 views
Access denied for image urls created via image style although derivative token is appended?
I want to apply an image style to an image and use it via CSS:
if (isset($node->field_images_image['und'][0]['filename'])) $vars['blurred_background'] = image_style_url('background_blurred', ...
0
votes
0answers
71 views
D7 Organic groups and securing private files
I'm looking for a current solution for private file protection in D7 (so files uploaded without a node can be hidden from unauthorized users). I saw this question, organic groups and private files, ...
2
votes
1answer
52 views
prompt in IE8 for secure pages produces altered layout
My Drupal 7 website looks fine in most browsers, but in IE8 I am getting the prompt:
"Do you want to view only the webpage content that was delivered securely? This webpage contains content ...
0
votes
1answer
16 views
Conditional based field security
Is there any condition based field security in Drupal? E.g. An administrator can only edit user details users who are from the same Country?
2
votes
2answers
146 views
HTTP Basic auth on specific Drupal paths?
I want to use HTTP Basic authentication on a group of paths in my Drupal site (e.g. /folder/*). The paths are all menu callbacks that don't have actual page content.
I tried to use Secure Site but I ...
1
vote
2answers
219 views
Drupal Commons 3 and Original Drupal Core Updates
I'm may be planning to switch over to Drupal Commons 3. When the original Drupal core gets security updates, will I be able to get those updates in the Drupal Commons or do I have to wait for Drupal ...
2
votes
1answer
55 views
Overriding default hashing mechanism: cannot redeclare user_hash_password()
I have a project that requires a change in the default password encryption mechanism.
The documentation of password.inc states that this can be overridden using the password_inc variable. I followed ...
0
votes
2answers
310 views
how can I change the admin url?
Is it possible to have the administration pages on a different place than /admin?
so something like: www.mysite.com/someotheradminlocation
I don't want the admin location to be guessable by hackers.
...
0
votes
1answer
83 views
Is it a great idea to upload php instead of writing phps in drupal interface
At each time I write PHP code in blocks and views, I always think about this question : "What are the downsides of using 'custom' PHP code in blocks, nodes, views-args, etc?".
Is it a great idea to ...
3
votes
1answer
46 views
Are there any security concerns with getting the UID by simply querying the sessions table against the visitor's cookie?
In the High Performance JavaScript Callback Handler I'm attempting to use my own code to get the current user's ID.
To give a quick rundown, by returning data at a much lower bootstrap level ...
0
votes
1answer
77 views
Security Review - Untrusted users are allowed to input dangerous HTML tags
I am getting the following error in my security review:
Untrusted users are allowed to input dangerous HTML tags.
Is this because in my text formats I've got the following:
Plain text All roles may ...
0
votes
1answer
59 views
db_query - Get all nid in more than one nodetype
This is a simple query , but i really dont know why its not working. I think the problem is with single quote used!
$type = array('node_type_1', 'node_type_2', 'node_type_3');
$placeholders = ...
2
votes
1answer
33 views
Disappearing Content
I just inherited a Drupal 7 website from another agency. The site was fairing well in our DEV and STAGE environments. The problem started occurring when we switched DNS over to our PRODUCTION site.
...
1
vote
1answer
131 views
Would disabling these following functions in PHP.INI affect Drupal 7?
If i disabled the following php functions:
disable_functions = ...
-1
votes
1answer
40 views
What file permissions and ownerships are appropriate for the files directory and subdirectories? [duplicate]
Possible Duplicate:
What are the recommended directory permissions?
I've scoured the net, and it seems that everyone has different methods of doing this and I just want to get a quick ...
0
votes
2answers
187 views
How to disable PHP files from being run in the sites/default/files directory?
By default does drupal 7's sites/default/files directory disables running of PHP files?
0
votes
2answers
103 views
Found index.php in files folder and all its subfolders? Anyone know what type of exploit is this? [closed]
I'm cleaning up my drupal installations and i found in the files folder there was an index.php file and all its subfolders.
screenshot:
I still dont know what kind of exploit was done to get all ...
0
votes
1answer
53 views
what actions to take when someone uploaded php files in random drupal folders and sending out spam
I'm not sure how this happened, but my server techs notified me about some php files inside the includes folder sending out 50k worth of emails. I'm not sure how anyone would be able to upload that. I ...
1
vote
3answers
84 views
Advice - Forms and Credit Card Security
I'm working on a website for a client where he wants a order form created and e-mailed back to him. Because of the nature of the business, the card cannot be charged until the order is verified that ...
2
votes
1answer
65 views
Recommended tools/techniques for monitoring for spam attacks on multi-site and shared servers
I'm managing a number of servers with dozens of Drupal sites, some with a single multi-site Drupal installation and others with dozens of separate Drupal installations. We're constantly running into ...
1
vote
1answer
67 views
When is it necessary to check_url()?
When is it necessary to use check_url()? For instance, if I create a login link by putting the code below in the body of a block, which of the 3 check_url() calls are necesssary and which ones are ...
0
votes
0answers
41 views
Encrypt RSS feeds
The discussion here
http://groups.drupal.org/node/9719 consists of a great idea to encrypt RSS feeds of private posts.
This says that "One thing that's impossible now is sharing private blog posts ...
2
votes
1answer
330 views
In Drupal 7, how to prevent *.php files from being upload to the /files folder when its required to have 777 permissions?
Hi one of the sites im working on just recently got comprised and a bunch of php files got upload somehow or someway into the files folder and started sending out alot of spam. I know during ...
0
votes
2answers
128 views
Logging into Drupal 7 site with headless browser: why would it fail?
NOTE: I've heavily revised the wording of my question to focus more clearly on the problem. There's a ton of really really useful information in the answers below, but not all of it applies to ...
0
votes
2answers
123 views
How is my website infected?
My web server company recently reported me that my website is sending spams. I scanned the whole file system and found a number of infected php files like index.main.php, ipopup.php and wtm9309n.php ...
0
votes
1answer
216 views
Drupal 7 membership site with secure video streaming
Similar question seem to come up now and then, but I any could not find good solution yet.
I want to create video tutorial website, where the public can only see a the first 10 sec of the video and ...
0
votes
2answers
219 views
Malicious code on my Drupal 7 website
I found that in all(i mean all drupal js files) javascript files on my drupal website, there is a javascript code with an iframe pointing to an external website.
When opening the website through ...
7
votes
6answers
692 views
How to deal with someone trying to login as admin?
During these last days, I noticed in my dblog, that someone has been trying to sneak around.
The person tried finding the login url (my website isn't open for user registration) so they tried ...
3
votes
3answers
379 views
Malware on D7 website - Blacklisted by Google
I want to tell you about the malware attack to my Drupal website. Not just for your suggestions but also to create something helpful to anybody tha could suffer for the same problems. Well...
...
1
vote
0answers
74 views
How can I conditionally insert extra header data on Drupal 6 pages?
I'm using Drupal 6 with the WebForms module, and my entire site uses https.
I need to insert some cache-control statements in the page headers of only certain pages (ones with forms on them). Is ...
3
votes
1answer
97 views
Do Entity Field Queries respect grants and/or node access?
"How to use Entity Field Queries" contatins the cryptic piece of information,
->addMetaData($key, $object)
Adds additional metadata to the query. One important usage of this method is to ...
1
vote
1answer
95 views
Will forcing validation on a node save result in security issues or data integrity loss?
I have a content type containing lots of required and conditional fields. Because it can take a bit of time to properly create these nodes, and not all information will always be available to the ...
0
votes
0answers
14 views
Drupal install.php and other .txt files [duplicate]
Possible Duplicate:
Which files should I delete after a Drupal installation?
Should I delete the install.php after installation?
And these other .txt files like
INSTALL.mysql.txt etc
I ...
2
votes
3answers
145 views
DB log message: login failed for user xxx
Does anyone ever get "Login failed by user xxx" messages in their recent log entries? I have been getting the same message over and over for the past several days, always from the same IP address and ...
