Vulnerability which is only present in a non-stable release

1. Grant the module maintainer access to the issue so they will know what is going on.
2. Post this as a comment on the issue (note that "NAME" in the bug report URL below needs to be replaced with the actual project name).

If the report was received via email, do the same things, but via email.

++++++++++++++++++++++++++++++++++++++++++++++
Thank you for reporting this issue.

File system changes

Purpose

This document outlines several methods to track changes to a website at the file/directory level. File system monitoring should be applied along with regular file and database backups.

Goals

The goals of file system tracking include:

  • Monitor changed and added files
  • Log changes and additions
  • Ability to revert granular changes
  • Automated alerts

Adding File Encryption to existing Drupal 7 site

Background

A site has been set-up a while ago - pre-Snowden - and there is a sense of improving security in general.
The site is used for company communication and to share information and files across management.
A number of files have been stored already un-encrypted. All uploaded files will have to be re-loded and the file field in the Content Type will have to be revised.

Services Security Updates

This page is used as documentation for Services Security. Its unfortunate that issues come up that affect Services but running the latest version of Services should help mitigate issues.

If you see an issue and think it is security related please follow the instructions here

Updating OpenAid

The update process with OpenAid is the same as process as updating modules on a standard Drupal site. Note that contributed modules for OpenAid live in profiles/openaid/modules/contrib rather than the common set up sites/all/modules/contrib.

OpenAid does have regular updates, oftentimes to keep up with security releases of Drupal core and contributed modules, however, OpenAid site maintainers are encouraged to update modules (especially those with security updates) as updates become available rather than waiting for a new release of OpenAid.

Clickjacking is not considered a weakness in core

A vulnerability known as Clickjacking requires a malicious user to target authenticated users of a site to trick them into taking actions they do not intend by placing the target site into an iframe. Drupal core does not have any protection against Clickjacking attacks. Drupal sites often need to be placed into iframes so it doesn't make sense for core to take a particular stance on this issue.

Pages

Subscribe with RSS Subscribe to RSS - security