This project is not covered by Drupal’s security advisory policy.

The evil module will try to be ran from your drush commands or Drupal bootstap code in ways you may not expect. It is designed to be used for penetration testing and debugging.

This module should generally NOT be installed on your Drupal site. It serves no other purpose than being noticed and try to nag users as much as possible. Do not enable this module unless you know what you're doing.


The idea behind this project is that while we generally assume trusted users maintain the modules on your site, unstrusted users may be able to creep through your install and deploy a module in a location that you wouldn't expect, but still that Drupal would still bootstrap and run. This module is therefore designed to be hooked into as many places as possible in Drush and Drupal bootstrap sequences so that it gets loaded any time you:

* bootstrap drupal (if the module is in sites/all/modules)
* bootstrap drush (it has a file)
* load themes (it should have a .theme file too, while we're at it)

This was designed to test shared hosting security within the Aegir project (see issue #762138: Design security issue with developer access to sites' modules and themes) but can be used by anybody.

Similar projects

The Vulnerable module does something similar, but is actually much more evil - it really contains security vulnerabilities, while the evil module should still be fairly safe for test purposes. That's because the evil module is not so evil: it only prints debugging information and writes to a logfile in /tmp. It could, however, be instrumented for escalated privileges and other attacks, but that is not the goal of this project. We are not using the vulnerable module to do this because the latter actually exposes new vulnerabilities instead of just helping with debugging.


Props to sfyn for ideas and feedback and for for sponsoring this module through its continuous support of the Aegir project.

Project information

  • caution Seeking new maintainer
    The current maintainers are looking for new people to take ownership.
  • caution No further development
    No longer developed by its maintainers.
  • Module categories: Developer, Drush, Security
  • shield alertThis project is not covered by the security advisory policy.
    Use at your own risk! It may have publicly disclosed vulnerabilities.