Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By greggles on
In this report of a "post-hack analysis" Daisy Beckenbach points out how a hacker (better: cracker) was able to add viruses to a Drupal site. Perhaps the most telling part:
After much probing around, we found that it wasn't caused by any vulnerability in the Drupal code. This is apparently a good news and a great relief.
...Here is what happened:
1. One of the admin accounts was leaked. This admin account has the right to modify "Access Control" in the Drupal website.
That's about all that I need to hear ;)
You can read the full report to learn some more details of the break-in, but the most important part to me is to follow common sense with your accounts: use a good password and keep it secret, never send it over unencrypted wifi, etc.
Comments
This is the best we can do!
This is the best we can do about security. cause using any system will need admin and privileged user accounts.
I've always wondered...
I've been wondering if the super-user (user/1) should have special 'protections.' Make sure user one can't be deleted or modified by any other user, etc.
And maybe assign a special PIN to users of certain roles with administrator rights - a four digit password in addition to the regular password. Not perfect, I know.
~silverwing
_____________________________________________
Land of Midnight | MisguidedThoughts | showcaseCMS
Thanks for the post. I
Thanks for the post. I would like to see someone combine the regcode functionality with a login password field, at least for user/1. The end result would be akin to credit card security; I am thinking of the three- or four-digit security code that is printed on the card and which you often must provide to a merchant when buying something over the phone, for example.
PS: It seems to me the title of the aforementioned blog item should be "Case Study of Lousy Password Management" as the events described are by no means specific to drupal.
----------------------------------------------------------------------
http://www.bwv810.com/
I am a writer, researcher and solo drupal freelancer.
Je peux communiquer en français. / Я могу общаться на русском языке.