Protecting against HTTP HOST Header attacks (prevent your site from thinking it is someone else)

Drupal 7 added a new feature into core that is not user facing directly, but is sometimes called poor man's cron. The feature triggers the periodic tasks of a Drupal site like emptying log files, sending e-mails, and clearing out caches. This feature, when combined with dynamic detection of the "base url" (added in Drupal 4.7), can lead to some screwy situations.

Deleting users who have written nodes/comments can lead to access bypass

Drupal sites can allow users to be deleted or even for users to delete themselves. This can sometimes lead to unexpected situations where anonymous users (i.e. the whole internet) are able to view or edit pages on the site which they otherwise shouldn't be able to see.

Suggested solution

For Drupal 6 and possibly Drupal 7: Rather than deleting users, simply block them.

For Drupal 7: be cautious on /admin/config/people/accounts about using the "Cancelling account" option for "Delete the account and make its content belong to the Anonymous user."

Is Drupal secure?

Drupal has a very good track record in terms of security, and has an organized process for investigating, verifying, and publishing possible security problems.

Drupal's security team is constantly working with the community to address security issues as they arise. More information about this process can be found in that section of the handbook.

Anyone using Drupal should subscribe to the security mailing list (by editing your account profile) in order to automatically keep up to date with the latest security advisories of all types (see below).

Frequently asked questions:

Is open source software secure?

The short answer is that open source software is as secure or more secure (in general) than commercial software. A good summary of the relevant issues can be found in this article from IBM: The security implications of open source software. The increased security of using open source was cited as one reason the White House switched to Drupal.

How Drupal Addresses Common Security Vulnerabilities

Security team

Goals of the security team

  • Resolve reported security issues in a Security Advisory
  • Provide assistance for contributed module maintainers in resolving security issues
  • Provide documentation on how to write secure code
  • Provide documentation on securing your site
  • Help the infrastructure team to keep the infrastructure secure

Members of the security team sometimes perform analysis of core or contributed project code, especially if there is a weakness that can be found by easy scanning, but in general the team does not review core nor contributed code.

How to report a security issue

If you discover or learn about a potential error, weakness or threat that could compromise the security of Drupal, we ask you to keep it confidential and submit your concern to the Drupal security team.

How the team resolves reported security issues

  • Review the issue and evaluate the potential impact on all supported releases of Drupal.
  • If it is indeed a valid problem, the security team mobilizes the maintainer to eliminate it (whether for core or contrib).
Subscribe with RSS Subscribe to RSS - Drupal security