drupal

Security Review module and securing your Drupal site

Submitted by Ben on Tue, 2009-12-08 15:30

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

Insecure file system permissions
Insecure input formats
Dangerous code in nodes and comments
Printed errors
Private files directory not set outside the web root
Dangerous allowed upload extensions
Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!

6 comments

Book Review: Web Mapping Illustrated by Tyler Mitchell Using Open Source GIS Toolkits

Submitted by Greg on Mon, 2009-05-25 20:03

Amazon Number:

Web Mapping Illustrated: Using Open Source GIS Toolkits

This book is starting to get a little bit old (it was written in 2005) but it is still a great introduction to the complexities and potential fun with mapping online.

The book starts with general concepts, wades through command line and desktop tools for mapping, dives into Web Map Services based on the MapServer project, and finishes off with more reference material in the appendixes. The general concepts, command line tools (page 82 and nearby), and references will be useful for years to come. The rest of the material was a bit dated. For example, page 132 has a sidebar exclaiming that the **new* GMaps service from Google seemed very interesting.

I was particularly impressed by
* The introduction to SFSQL (Simple Feature Structured Query Language) on page 242
* The introduction to PostGIS features in Chapter 13 including guide to querying on page 256
* Discussion of the ogr and gdal tools for dealing with various types of data.

I really hope that O'Reilly will update this book and that the author will be able to expand it to cover other mapping tools beyond MapServer and other databases beyond PostgreSQL (we mostly use MySQL).

Add new comment

Training - San Jose Library

The San Jose Library manages a variety of websites for San José Public Libraries and San José State University Library. After evaluating several systems, the web team decided to use Drupal for their projects and began working to learn to use Drupal. In order to speed their trip up the Drupal learning curve, they decided to engage Growing Venture Solutions for training.

About the training, team lead Sarah Houghton-Jan said:

Greg's training was well-organized, starting with the basic and progressing to the more advanced topics. Greg is extremely knowledgable about every aspect of Drupal. As one of the community's most active members, he has an incredible range of information immediately at his disposal about the system's capabilities and processes. The training was extremely flexible - Greg let us stop and ask questions whenever we wanted, pause for hands-on work, and breeze through issues of less interest to us. Greg is a very friendly trainer, approachable, easy to work with, and amazingly knowledgable. I would recommend him for any institution seeking training on any aspect of Drupal. Though we had three days of training, I wish we had five instead so that we could have gone more in depth into each topic and access Greg's wealth of knowledge!

The Library training was a blend of our standard training curriculum and some customization to fit their needs.

Add new comment

The Dao of the Drupal Community

Submitted by Greg on Sat, 2008-07-26 12:07

Greg Knaddison

Growing Venture Solutions

July 2008

DrupalCamp Colorado - Welcome!

Submitted by Greg on Fri, 2008-07-25 23:52

Greg Knaddison

greggles

2008/03/05 9:00

DrupalCamp Colorado

Best DrupalCamp Colorado Ever!

The bathrooms...

Big thanks to Denver Open Media.

Big thanks to Aten Design Group.

Do-ocracy
Drupal(Camp) is what you make of it.

tag it: drupalcampcolorado

drupalcamp

(on monitor upstairs)

Lightning!

S5 Presentation Layer.
Simple Standards-Based Slide Show System
(no, it's not SSBSSS nor S2BS3)
(because Eric Meyer said so)

+ words = presentation!

Where are the slides?
Oh...they're already online in a shareable format.

Add new comment

Quick Introduction to Views 2

Submitted by Greg on Thu, 2008-07-24 15:16

Greg Knaddison

Growing Venture Solutions

July 2008

DrupalCamp Colorado

What is Views 1?
The views module provides a flexible method for Drupal site designers to control how lists of content (nodes) are presented.

What is views 2?
The views module provides a flexible method for Drupal site designers to control how lists of anything are presented with a kickass Ajax interface.

Questions?

Demo!

Raffle for Komodo
Advanced help
Non-node tables

Session list (and block)
Basic node list
Overrides

Comments + moderation

Image + ajax + minipager = carousel...?

Stump the Chump!

Add new comment

Token Module: How I Learned To Use the Token API and Stop Re-Implementing Dynamic String Replacement

Submitted by Greg on Thu, 2008-07-24 10:47

Greg Knaddison

Growing Venture Solutions

July 2008

DrupalCamp Colorado - Great Sessions, Sponsors, Prizes

Submitted by Greg on Tue, 2008-07-08 09:40

We're just under 3 weeks away from DrupalCamp Colorado 2008 which will be held July 26th and 27th. We're accepting more presentations and already have several great sessions to vote on.

I want to highlight a few notable things about this DrupalCamp.

Remote Presenters Welcome

Thanks to the work of Kevin Reynen we are welcoming remote presenters to the camp. If you can't make it to Colorado but want to share your message, this is your opportunity.

Great Sponsors and Prizes

Why You Should Use Pathauto (or at least Path Aliases for Many Pages)

Submitted by Greg on Thu, 2008-07-03 13:29

I recently saw a comment about Pathauto and started writing a really long reply that seemed more valuable to share here.

Basically one of the questions people have is "Why should I use Pathauto? If I don't care about SEO is there any other reason?"

This is a valid question to me. There is some indication that users don't look at the URL bar. During the Usability testing at UMN we never noticed people looking at the URL bar in the eye-tracking data. But some people certainly do look at the URL bar - people who like "hackable urls" do

Hackable URLs

I use it extensively to create "hackable URLs" that are valuable to a user. A "hackable url" or "index alias" is the feature on a site where you have a post and then users can remove the title down to the previous URL element and get the other posts from that month, one more layer for the year, and one more for that user since forever. See - fun! I even made a movie about it:

Site Credibility Prior to the Click

I frequently get URLs sent to me via email and IM. Compare these two URLs:

http://drupalcampcolorado.org/node/38

vs.

http://drupalcampcolorado.org/content/our-sponsors

Which one are you more likely to click on? Which one helps you understand what content you are going to get before you even get there?

Easy to Remember URLs

Drupal Download Statistics - January 2008 Data

Submitted by Greg on Thu, 2008-03-06 13:03

Ever quarter I try to munge and analyze the download data. The data for January is now available. Views continues its reign at the top of the module list. Images and WYSIWYG remain popular. Popular themes continue to be dominated by those that start with letters at the beginning of the alphabet.

Most Popular Drupal Modules

Featured Team Member

Steve Harley

Steve, who occasionally plays the role of digital janitor, knows how to build sites right the first time to reduce long term maintenance.

We Wrote the Book On Drupal Security:

We'll be at Drupalcon San Francisco

We're sponsoring, attending, and teaching at Drupalcon San Francisco. We hope you'll join us.