![[Valid RSS]](images/valid-rss-rogers.png "Valid RSS")
This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
<p><iframe src="https://docs.google.com/present/embed?id=dc2n8 ...
line 163, column 0: (2 occurrences) [help]
</description>
</channel>
<?xml version="1.0" encoding="utf-8"?><rss version="2.0" xml:base="https://www.crackingdrupal.com" xmlns:dc="http://purl.org/dc/elements/1.1/"><channel> <title>Cracking Drupal </title> <link>https://www.crackingdrupal.com</link> <description></description> <language>en</language><item> <title>Improvements to Security in Drupal 7</title> <link>https://www.crackingdrupal.com/node/69</link> <description><p>Drupal 7 has several security improvements. People often ask if the book <a href="http://crackingdrupal.com/">Cracking Drupal</a> covers Drupal 6 or Drupal 7. The answer is that it mostly covers both because security issues did not change much between the versions. So the book is still just as relevant for Drupal 7 with the exception of the topics below. The only other major topic the book doesn't cover is CSRF, but you can read an article about <a href="http://drupalscout.com/knowledge-base/protecting-your-drupal-module-against-cross-site-request-forgeries-csrf">Protecting Drupal from CSRF</a> .</p><h3>New Database API reduces opportunity for SQL Injection</h3><p>SQL Injection makes up roughly 10% of the vulnerabilities that have been found in Drupal core or contributed modules. A lot of the times this comes from people not using query placeholders, using the wrong placeholders, or trying to build dynamic queries without properly filtering user inputs. The new database API solves these three problems:</p><ul><li>It is based on object oriented system so people are taught to use the placeholder system by default</li><li>It completely re-thinks how placeholders work making it so the right placeholder will be automatically inserted wither your argument is a number, string, or an array of data.</li><li>It makes it much easier to do dynamic queries - See <a href="http://www.lullabot.com/articles/simplify-your-code-with-drupal-7s-database-api">Jeff Eaton's post</a> for details</li></ul><p>It's still possible to create SQL Injections in Drupal 7, of course. The first is to use the <a href="http://drupal.org/node/310086">-&gt;where() method of conditional clauses</a> which "allows for the addition of arbitrary SQL as a conditional fragment." If your code can insert arbitrary SQL then it can insert a SQL Injection. The other way is to simply use <a href="http://drupal.org/node/310072">db_query for a static query</a> but put concatenated user input into the query string. Luckily both of those things are easy to spot in a review and will soon become red-flags for every code reviewer.</p><p>As you can see, the redesigned database API is much less likely to be used incorrectly. I believe we'll see a decrease in SQL Injection vulnerabilities as Drupal 7 is adopted.</p><h3>Improved hashing algorithms</h3><p>We moved away from the increasingly crackable md5 hashing algorithm for all hashes. Passwords are now hashed with a user specific salt which makes them harder to crack. By default they are hashed 2^15 times, though you can control that number by setting</p><p><code>&lt;?php<br /> $conf['password_count_log2'] = 16; <br />?&gt;</code></p><p> or whatever other number you choose. The benefit of setting that variable in your settings.php is that it is not in the database so a malicious user attempting to crack a password would have to try hashing it a different number of times. This provides several benefits. It makes it very difficult to reverse engineer the passwords associated with accounts/emails if a database backup is exposed to the world or a SQL injection is found. It also makes it harder for developers to make mistakes when building an external authentication mechanism since they are practically forced to use the password/user API.</p><p>The password hashing mechanism is based on phpass and is compatible with other systems that use that system. This is helpful if importing users from another site or exporting users from one version of Drupal to another.</p><p>There is now a site specific salt called</p><p><code>&lt;?php<br /> $drupal_hash_salt <br />?&gt;</code></p><p> that lives in the settings.php in addition to the site specific key called drupal_private_key which is stored in the database. These private key values can be used to increase the strength of hashed/encrypted data.</p><p>If you just install Drupal it wil create a drupal_hash_salt value for you, but if you want to use a different one that is managed outside of your settings.php you can simply edit the settings.php prior to installation and set the</p><p><code>&lt;?php<br /> $drupal_hash_salt = file_get_contents('/home/example/salt.txt'); <br />?&gt;</code></p><p>. The salt.txt file should be somewhere that the webserver can read, but is not generally available to other users on your unix system. It should be read-only for the webserver. The permissions on settings.php should give a good guide for how to set the salt.txt permissions. The file should contain a string of randomly generated information. <a href="http://www.random.org/">Random.org</a> can give tips on how to create random strings.</p><p>These improvements are more about hardening Drupal to stay "current" than it is about reducing any specific vulnerability.</p><h3>Drupal 7's built-in brute force detection</h3><p>Drupal 7 also includes brute force login attack prevention. This was possible in Drupal 6 via solutions like the <a href="http://drupal.org/project/login_security">Login Security module</a> but now it's part of core. This feature was added in the issue to <a href="http://drupal.org/node/485974">Improve security: rate limit login attempts</a> which does not provide a specific user interface to the feature. It does, however, have four important variables. The first two are for limiting the failed logins by IP: user_failed_login_ip_limit which defaults to 50 and user_failed_login_ip_window which defaults to 3600 seconds (i.e. one hour). The second set are for limiting failed logins per user: user_failed_login_user_limit which defaults to 5 attempts and user_failed_login_user_window which defaults to 21600 seconds (i.e. 6 hours).</p><h3>Easier module updates: plugin manager</h3><p>One of the persistent problems with security releases is getting sites upgraded. If the patch is out but nobody has installed it then it doesn't help. Drupal 7 includes the ability to install or update modules via the administrative interface making it much easier to keep a site up to date. This process uses ssh or ftp in a local loopback to access the files so that the webserver doesn't have to have the ability to write files. This, of course, can be seen to have drawbacks. The ideal way to manage this is as a separate user and keep close tabs on the <a href="http://drupal.org/node/244924">proper file permissions</a> and the web-based installer promotes some bad practices (e.g. leaving FTP running). I think this feature is good for some sites and hope people will use it to keep their sites up to date. If you are scared of the practices it allows then I suggest you disable it by going into settings.php and uncommenting this line at the bottom to disable the feature.</p><p><code>&lt;?php<br />$conf['allow_authorize_operations'] = FALSE;<br />?&gt;</code></p><h3>Drupal.org improvements in security coincide with Drupal 7 release</h3><p>Drupal 7 was released in January of 2011 and the git migration wrapped up in March of 2011. The move to git helps module maintainers to create a new release of their module based on an old tag without having to do gymanistics in CVS. This will allow security releases to contain ONLY security fixes which will help site builders to deploy those changes quickly. Site builders will be able to QA the change much more rapidly and worry less about features and bugfix changes in the code that might break their site.</p><p>Knowing security is a process, we have also made improvements to our security advisory process. The security.drupal.org site is where the <a href="http://drupal.org/security-team">Security Team</a> collaborates on issues. It now provides access to an issue for issue reporter and module maintainer to make collaboration with the team easier. This should increase the free time the Security Team has to work on other items, and for maintainers it will increase the ease of interacting with the Security Team making them more likely to get the fix released properly. We also are using a template for writing the Security Advisories. This process increases the quality of the advisories and lets module maintainers write them directly without needing nearly as much help from the security team. Again, that's a big help to both the Security Team and the module maintainers.</p></description> <comments>https://www.crackingdrupal.com/node/69#comments</comments> <category domain="https://www.crackingdrupal.com/taxonomy/term/60">Drupal 7</category> <category domain="https://www.crackingdrupal.com/category/tags/security">security</category> <pubDate>Wed, 01 Jul 2015 21:49:52 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">69 at https://www.crackingdrupal.com</guid></item><item> <title>Why counting vulnerabilities is not a sufficient method of comparing product security</title> <link>https://www.crackingdrupal.com/node/66</link> <description><p>A lot of people find themselves in the position of trying to figure out which software package is the most secure, or at least <em>more</em> secure between a field of choices. They often try to do this by comparing the number of vulnerabilities in the two packages, going to vulnerability databases like MITRE-CVE or NIST-NVD.</p><p>However, consider this example timeline of vulnerability disclosure from a <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2013-June/090761.html">sample issue on full disclosure</a></p><blockquote><p>2013.05.11 Vulnerability reported to the vendor<br />2013.05.12 Vendor asked for details<br />2013.05.12 Details and exploit provided to the vendor<br />2013.05.30 Asked vendor about the status of investigation (no response)<br />2013.06.11 Sent another mail to the vendor (no response)<br />2013.06.15 Full disclosure</p></blockquote><p>That is actually a real problem that could expose passwords and private key of a site. It affects the core software. And even though the researcher followed responsible disclosure, apparently the security team didn't do anything about the issue after a month. Perhaps the worst part of all this...there's a good chance this vulnerability will never make it into a database like NVD or CVE.</p><p>Consider this example the next time someone talks about numbers of vulnerabilities. Remind them that it's more important that there is an active group of people who are:</p><ol><li>Looking for vulnerabilities (these people don't have to be part of the product's insider community)</li><li>Fixing them</li></ol><p>In this case the active user base of the product has led a researcher to find the problem. But then the product developers didn't follow through on fixing the issue and therein comes the problem: users are vulnerable and unaware of the problem.</p></description> <comments>https://www.crackingdrupal.com/node/66#comments</comments> <pubDate>Tue, 18 Jun 2013 16:38:39 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">66 at https://www.crackingdrupal.com</guid></item><item> <title>Notes from Linux Security Tunables by Kees Cook</title> <link>https://www.crackingdrupal.com/node/65</link> <description><p>I recently attended Drupalcon Portland where I attended Kees Cook's session on <a href="http://portland2013.drupal.org/session/linux-system-security-tunables">Linux System Security Tunables</a>. He had some great general security advice before the session began. You can watch the video on the Drupalcon site and read the slides there. Here are my notes from the session.</p><h3>Authentication hygiene (e.g. ssh keys)</h3><ul><li>know where your credentials live</li><li>keep away from devices with remote access</li><li>store encrypted, tied to a specific device - if you lose control of that device, revoke those keys</li><li>don't use password or even only-passphrase authentication</li><li>keep the ssh comments (user@host) so you can more easily revoke keys in case you need to</li><li>ssh gives you a host key when you first connect - verify that it's right! ssh-keygen -f /etc/ssh/ssh_host_rsa.pub -lv</li></ul><h3>Discretionary Access Control (user-defined)</h3><ul><li>Personal accounts<ul><li>no direct access</li></ul></li><li>Web services<ul><li>no access to personal information nor reconfigure itself</li><li>cannot change execution</li></ul></li><li>Service maintainers<ul><li>No access to personal acct, limited system access</li><li>Can modify a given service (e.g. the database service)</li></ul></li><li>System admin<ul><li>extremely powerful</li></ul></li><li>This is great for logging because you can see transitions between levels</li><li>Clear lines between data and execution</li><li>Control access via sudo or other keys<br />User_Alias SOME_SERVICE = kees, gchaix, pholcomb<br />OR put individual keys into /home/some_service/.ssh/authorized_keys</li></ul><h3>Mandatory Access Control</h3><ul><li>AppArmor</li><li>SELinux</li><li>SMACK</li><li>Tomoyo</li></ul><h3>Multifactor Authentication (TFA or more)</h3><ul><li>Downside to recommending sudo: 1 password for 2 accounts</li><li>MFA can help</li></ul><h3>Kernel tunables</h3><ul><li>Tree of items /proc/sys</li><li>Use sysctl to edit them, or they are files so you can just edit them</li><li>randomize_va_space=2</li><li>net.ipv4.tcp_syncookies=1</li><li>kernel.yama.ptrace_scope=1</li><li>vm.mmap_min_addr=65536</li><li>kptr_restrict=1</li><li>kernel.dmesg_restrict=1</li><li>fs.protected_symlinks=1</li><li>fs.protected_hardlines=1</li><li>kernel.modules_disabled=1</li></ul><h3>Start today</h3><ul><li>Make a plan</li><li>Prioritize the changes</li><li>Make changes</li><li>Automate verification (cacti, nagios, cron, etc.)</li></ul></description> <comments>https://www.crackingdrupal.com/node/65#comments</comments> <pubDate>Fri, 31 May 2013 15:58:17 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">65 at https://www.crackingdrupal.com</guid></item><item> <title>Automated Security Reviews for Drupal - 2011 edition</title> <link>https://www.crackingdrupal.com/node/70</link> <description><p>These are the <a href="/web/20121118063717/https://docs.google.com/present/view?id=dc2n8pp9_93cnwschc7">slides for a presentation</a> on Automated Security Reviews I'm doing at Drupalcamp Colorado. You may also be interested in <a href="/steps-drupal-security-review">Steps to a Drupal Security Review</a>.<br /><br /></p><p><iframe src="https://docs.google.com/present/embed?id=dc2n8pp9_93cnwschc7" frameborder="0" width="410" height="342"></iframe></p></description> <comments>https://www.crackingdrupal.com/node/70#comments</comments> <category domain="https://www.crackingdrupal.com/category/tags/automated-scanning">automated scanning</category> <category domain="https://www.crackingdrupal.com/category/tags/security">security</category> <pubDate>Fri, 10 Jun 2011 07:00:00 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">70 at https://www.crackingdrupal.com</guid></item><item> <title>Cracking Drupal Kindle Edition now available for $14.84 (Still relevant for Drupal 7)</title> <link>https://www.crackingdrupal.com/blog/greggles/cracking-drupal-kindle-edition-now-available-1484-still-relevant-drupal-7</link> <description><p>The day has finally come - <a href="http://www.amazon.com/Cracking-Drupal-Drop-Bucket-ebook/dp/B004RD85CQ">Cracking Drupal is available for the Kindle</a>.</p><h3>Cracking Drupal on the Kindle</h3><p>I asked my publisher about this almost instantly after the book came out. I had recently received a Kindle as a gift and was excited about e-books. Unfortunately the technology was young and getting a book on such a specific topic into the Kindle format was a daunting task for them. It seems either the Kindle format got easier or they got better at reformatting things to Kindle format or both and now it's available.</p><p><a href="http://crackingdrupal.com/buy-amazon"><img src="http://crackingdrupal.com/sites/crackingdrupal.com/files/Selection_2078_0.png" alt="Cracking Drupal available for Kindle" /></a></p><p>The Kindle edition costs $14.84 compared to $25 for the Amazon version of the book compared to $40 for the Wiley hardback available in stores or the $40 Wiley PDF available from Wiley.com.</p><h3>Drupal 7: Covered by Cracking Drupal so far</h3><p>One other question I've had a lot of recently is whether or not the book Cracking Drupal covers Drupal 7. The answer is basically yes. While I was writing the book the biggest change coming about was the database API. Indeed it is now out and indeed it makes it much harder to create sql injections. Everything else the book talks about - thinking like a hacker, the nature of cross site scripting, cross site request forgeries, and sql injection - are all still relevant in Drupal 7 as they were in Drupal 6 and the configuration, process and coding practices to keep your site safe are still basically the same.</p><p>There is a chance that I will create an updated version of the book that more specifically covers Drupal 7 but I think more likely is to skip Drupal 7 and instead wait for a version of the book on Drupal 8. By then things will have changed enough to make it worthwhile and I can expand the coverage of areas I didn't cover as much as I would have liked to (mainly CSRF).</p></description> <comments>https://www.crackingdrupal.com/blog/greggles/cracking-drupal-kindle-edition-now-available-1484-still-relevant-drupal-7#comments</comments> <category domain="https://www.crackingdrupal.com/category/tags/drupal">Drupal</category> <category domain="https://www.crackingdrupal.com/category/tags/e-books">e-books</category> <category domain="https://www.crackingdrupal.com/category/tags/kindle">kindle</category> <category domain="https://www.crackingdrupal.com/category/tags/security">security</category> <pubDate>Wed, 06 Apr 2011 15:56:39 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">64 at https://www.crackingdrupal.com</guid></item><item> <title>Steps to a Drupal Security Review</title> <link>https://www.crackingdrupal.com/node/71</link> <description><p>As we developed our security review offering we came up with this outline. We don't follow all the steps on every site because sites sometimes have specific concerns that we want to address before the general set. But this is our exhaustive list of steps. Note that this is only about the Drupal portion of the stack. There is an array of things you could also analyze at the webserver, database server, operating system, network and even data center levels of the stack.</p><p>The first are relatively simple to perform. The last three (manual review, and putting it all in a report) are the hardest.</p><h3>Steps to review a Drupal site's security</h3><p><strong>Automated or semi-automated steps:</strong></p><ul><li><a href="http://crackingdrupal.com/blog/greggles/creating-sanitized-drupal-database-dump">Santize the database</a>, remove all e-mail addresses, remove passwords, etc.</li><li>Install one or more of <a href="http://drupal.org/project/mail_logger">mail_logger</a>, <a href="http://drupal.org/project/reroute_email">reroute_email</a>, <a href="http://drupal.org/project/advanced_mail_reroute">advanced_mail_reroute</a>, <a href="http://drupal.org/project/maillog">maillog</a> so that your testing won't accidentally send mails.</li><li>Is core modified anywhere? Are their contribs modified anywhere? check with <a href="http://drupal.org/project/hacked">Hacked!</a></li><li>Are those modifications documented somewhere or just modified? Ideally patch files should exist somewhere like /sites/example.com/patches/ or in the module directory itself with a Drupal.org issue number and comment number as part of the patch name).</li><li>Install <a href="http://drupal.org/project/security_review">Security Review</a> module on the live site and local site and make sure it passes</li><li>Use a stronger than normal rainbow table to find anyone who has an advanced role and a weak password (See <a href="http://drupal.org/node/897960">this issue</a> for some related work).</li><li>Run <a href="http://drupal.org/project/coder">Coder Security</a> on all contributed modules and custom code</li><li>Run <a href="http://drupal.org/project/secure_code_review">Secure Code Review</a> on contributed modules and all custom code</li></ul><p><strong>Manual steps:</strong></p><ul><li>Install <a href="http://github.com/miccolis/vuln">vuln</a> and browse the site as a human</li><li>Interview the client: What does the site do? What can users do on the site? What content can they post, what fields can they edit? Based on those interviews </li><li>Probe the site, entering fuzz content and/or Javascript </li><li>Manually review the custom theme</li><li>Manually review custom code</li></ul><p>The manual review is based on knowledge of secure coding practices. That can be gained from <a href="http://drupal.org/writing-secure-code">reading the handbook</a> and reading <a href="http://crackingdrupal.com/">Cracking Drupal</a>.</p><p><strong>Suggestions and report:</strong></p><ul><li>Suggest SSL, especially for logins and admins, if they run a site where that is worth it</li><li>Suggest OpenID (part of core), <a href="http://drupal.org/project/rpx">Janrain Engage</a>, etc. so that credentials like username/password can be remembered once and used on multiple sites.</li><li>Prepare report for issues including<ul><li>a narrative describing the above process</li><li>prioritized vulnerability list with severity and estimated difficulty to fix</li><li>reference material describing vulnerabilities found (e.g. what is XSS?)</li><li>screenshots of vulnerabilities where applicable</li><li>a general assessment of the site</li></ul></li></ul><p>Originally posted on drupalscout.com</p></description> <comments>https://www.crackingdrupal.com/node/71#comments</comments> <pubDate>Mon, 21 Feb 2011 08:00:00 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">71 at https://www.crackingdrupal.com</guid></item><item> <title>Using XSS to steal access</title> <link>https://www.crackingdrupal.com/blog/ben-jeavons/using-xss-steal-access</link> <description><p>We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; <a href="http://drupalscout.com/knowledge-base/using-xss-steal-access">XSS can do everything you can do</a>.</p><h3>XSS cookie theft</h3><p>Let's look at another example of an XSS exploit: stealing administrative access to a site.</p><ul><li>An attacker will enter Javascript that steals the visitor's browser cookie</li><li>An administrator will unknowingly execute this Javascript</li><li>The administrator's browser will send the cookie to the attacker's website</li><li>The attacker will use the stolen cookie to use the administrator's access on the site</li></ul><p><a href="http://drupalscout.com/knowledge-base/using-xss-steal-access"><img style="float: left; padding: 1em;" src="http://crackingdrupal.com/sites/crackingdrupal.com/files/drupalscout-final-rgb-131x200.png" /></a><br /><strong>This article is now part of the <a href="http://drupalscout.com/knowledge-base">Knowledge Base</a> of Drupal security articles on <a href="http://drupalscout.com/">Drupal Scout</a>.</strong></p><p>Read the rest of <a href="http://drupalscout.com/knowledge-base/using-xss-steal-access">Using XSS to steal access</a></p><p><br style="clear:left;" /></p><p>This page is kept so the comments posted here are available since they provide additional help and insights.</p></description> <comments>https://www.crackingdrupal.com/blog/ben-jeavons/using-xss-steal-access#comments</comments> <category domain="https://www.crackingdrupal.com/category/tags/cookies">cookies</category> <category domain="https://www.crackingdrupal.com/category/tags/demo">demo</category> <category domain="https://www.crackingdrupal.com/category/tags/planet-drupal">Planet Drupal</category> <category domain="https://www.crackingdrupal.com/category/tags/xss">XSS</category> <pubDate>Mon, 31 Jan 2011 19:00:09 +0000</pubDate> <dc:creator>Ben Jeavons</dc:creator> <guid isPermaLink="false">61 at https://www.crackingdrupal.com</guid></item><item> <title>Drupalcon Training: Securing your Drupal site with code and configuration</title> <link>https://www.crackingdrupal.com/blog/greggles/drupalcon-training-securing-your-drupal-site-code-and-configuration</link> <description><p><em>First things first, please take this <a href="http://crackingdrupal.com/survey/drupal-security-2011">survey about Security in Drupal</a></em>.</p><p>Much like at last year's Drupalcon in San Francisco, Ben Jeavons and I will be giving a training about <a href="http://chicago2011.drupal.org/training/security-process-code-hands-training">Drupal and Security</a>. When we gave this course at Drupalcon San Francisco, 88% of survey respondents said they would take the class again! We took all the feedback from last time and are working to make the experience even better.</p><p>The course is a mix of presentation, demonstration, guided hands-on work, and self exploration. We end the day with an hour where folks explore a vulnerable site looking for weaknesses and then wrap it all up by discussing the weaknesses found, and all the ones we knew about in the site.</p><p>Topics covered:</p><ol><li>Insecure configurations</li><li>Cross Site Scripting</li><li>Cross Site Request Forgeries</li><li>Access bypass, the menu system, and permissions</li><li>SQL Injection and the database api</li></ol><p>Perhaps the best quote from the 2010 training:</p><blockquote><p>Ben's jQuery administrator logout/change password/site offline demo induced buttock-clenching panic.</p></blockquote><h3>Trainings at Drupalcon</h3><p>This is one of the over <a href="http://chicago2011.drupal.org/training">30 trainings that will be given on March 7th</a>, the day before normal Drupalcon Chicago sessions kick off. It's a really amazing list of training providers and topics and we're excited to be among them.</p><p>If you aren't interested in security you should definitely consider signing up for some of the other courses. Even if you've already purchased your ticket to Drupalcon you can always add a training on the <a href="http://www.regonline.com/register/checkin.aspx?eventID=911915">registration form</a>.</p><h3>Drupal security survey</h3><p>To prepare for the training, for the presentation, and just to get a better sense of what people think about security in Drupal, we are hosting a <a href="http://crackingdrupal.com/survey/drupal-security-2011">survey</a> to collect some organized feedback from folks. Please take 5 minutes and fill it in.</p></description> <comments>https://www.crackingdrupal.com/blog/greggles/drupalcon-training-securing-your-drupal-site-code-and-configuration#comments</comments> <category domain="https://www.crackingdrupal.com/category/tags/drupalcon">Drupalcon</category> <category domain="https://www.crackingdrupal.com/category/tags/planet-drupal">Planet Drupal</category> <category domain="https://www.crackingdrupal.com/category/tags/security">security</category> <category domain="https://www.crackingdrupal.com/category/tags/training">Training</category> <pubDate>Tue, 18 Jan 2011 18:48:08 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">60 at https://www.crackingdrupal.com</guid></item><item> <title>Anything you can do XSS can do better</title> <link>https://www.crackingdrupal.com/blog/ben-jeavons/anything-you-can-do-xss-can-do-better</link> <description><p>Cross Site Scripting (XSS) is the number one vulnerability in Drupal codeĀ¹ and one of the scariest forms of exploits, because anything you can do XSS can do betterĀ².</p><h3>More serious than &lt;script&gt;alert('xss')&lt;/script&gt;</h3><p>During XSS demos and vulnerability testing it's easy to use some code like &lt;script&gt;alert('xss')&lt;/script&gt; to see Javascript executed where it shouldn't be. But an alert box isn't scary.</p><p>It's scary when Javascript can put your Drupal site offline. And it's even scarier when it locks you out of logging back in because it changed your administrator account username, password, and email address. Watch the short video below to see a demo of this.</p><p><a href="http://drupalscout.com/knowledge-base/anything-you-can-do-xss-can-do-better"><img style="float: left; padding: 1em;" src="http://crackingdrupal.com/sites/crackingdrupal.com/files/drupalscout-final-rgb-131x200.png" /></a><br /><strong>This article is now part of the <a href="http://drupalscout.com/knowledge-base">Knowledge Base</a> of Drupal security articles on <a href="http://drupalscout.com/">Drupal Scout</a>.</strong></p><p>Read the rest of <a href="http://drupalscout.com/knowledge-base/anything-you-can-do-xss-can-do-better">Anything you can do XSS can do better</a></p><p><br style="clear:left;" /></p><p>This page is kept so the comments posted here are available since they provide additional help and insights.</p></description> <comments>https://www.crackingdrupal.com/blog/ben-jeavons/anything-you-can-do-xss-can-do-better#comments</comments> <category domain="https://www.crackingdrupal.com/category/tags/planet-drupal">Planet Drupal</category> <category domain="https://www.crackingdrupal.com/category/tags/xss">XSS</category> <pubDate>Fri, 01 Oct 2010 05:25:55 +0000</pubDate> <dc:creator>Ben Jeavons</dc:creator> <guid isPermaLink="false">57 at https://www.crackingdrupal.com</guid></item><item> <title>Zerodayscan and Drupal: finding bugs for fame</title> <link>https://www.crackingdrupal.com/blog/greggles/zerodayscan-and-drupal-finding-bugs-fame</link> <description><p>If you use Drupal or are considering using Zerodayscan, please read <a href="http://heine.familiedeelstra.com/ZeroDayScan-full-path-disclosure-bug-in-Drupal-6.16-0day">Heine Deelstra's post about Zerodayscan</a>.</p><p>As a Drupal user you should feel confident that Drupal's belief in "secure by default" doesn't override the goal of creating easy to use sites by default. It is often a balance between the two and in this case Drupal is choosing to be more usable rather than more secure.</p><p>If you are thinking of using Zerodayscan, consider the "research" they are doing and the way they promote the "vulnerabilities" that they find. There are better security products out there...</p></description> <comments>https://www.crackingdrupal.com/blog/greggles/zerodayscan-and-drupal-finding-bugs-fame#comments</comments> <pubDate>Thu, 29 Apr 2010 11:50:30 +0000</pubDate> <dc:creator>greggles</dc:creator> <guid isPermaLink="false">54 at https://www.crackingdrupal.com</guid></item></channel></rss> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=http%3A//crackingdrupal.com/rss.xml
