Highest Voted 'drupal' Questions - IT Security Stack Exchange

20

votes

4 answers

What are the security threats of zip file uploads and what preventive actions should be taken?

We have a Drupal application developed for sharing files. We are allowing zip files to be uploaded by logged in departmental user. We are using Drupal private file system (outside webroot). We are using php Fileinfo for validation. Only logged in…

asked Apr 04 '13 at 07:38

msmani

301
1
2
7

9

votes

2 answers

Drupal filters XSS with regexes. What could bypass it?

Drupal filters HTML strings against XSS attacks using regexes: http://api.drupal.org/api/drupal/includes%21common.inc/function/filter_xss/7 However, as a lot of people know, HTML can't be parsed with regex. Which makes me think that the filter_xss…

xss html drupal

asked Nov 02 '12 at 15:43

Florian Margaine

2,465
3
13
10

8

votes

1 answer

Why am I getting url requests for pages I never had on my site?

On my Drupal site I'm getting strange requests for url paths that I have never had and have nothing to do with my site. Could some one explain why people (or bots) are looking for the following…

url drupal

asked Oct 13 '15 at 16:59

Patrick W. McMahon

187
5

6

votes

1 answer

Drupal 7 - attack in the logs

In my Drupal 7 logs I see entries such as: http://example.com/?q=file/ajax/name/%23value/form-tkSDwR6W66a8vR_AIDxAzwMVklkjTkNMjf8SEqfTX8Q There are several entries like this one, with only the last string changed. It is by an unauthenticated user.…

drupal

asked Apr 18 '18 at 19:49

MMT

97
5

6

votes

2 answers

Drupal Disputed CVE Five Year Tempest – Open Source Security Shortfall?

Can someone add context to the subject issue? At first glance it appears to me this issue represents a fundamental shortfall in the forces encouraging secure coding in open source development. Is that the case and/or is this example common or a…

csrf known-vulnerabilities opensource drupal

asked Mar 29 '12 at 15:00

zedman9991

3,377
15
22

3

votes

3 answers

Drupal SQLi only on login form?

Recently, CVE-2014-3704 was in the news. This vulnerability allows attackers to execute SQLi without the need of being logged in. However, I've looked to the available exploits, and I found only exploits that make use of the login form. Does this…

sql-injection drupal

asked Nov 03 '14 at 12:49

f4der

131
1

3

votes

2 answers

Should I be worried about these Drupal 7 username attack attempts?

In my logs I see regular attempts, a few times a day like these…

drupal

asked Apr 21 '18 at 19:33

MMT

97
5

2

votes

1 answer

is OSSEC effective in protecting a Drupal installation?

I noticed that the 2.8.1 rules have wordpress and other products listed, but no Drupal rules. Is its safe to assume OSSEC, acting like an IPS in active mode, is just not going to block any Drupal specific attacks? I understand there are generic…

drupal

asked Apr 21 '15 at 15:40

DrZaiusApeLord

123
4

2

votes

1 answer

ALERT - ASCII-NUL chars not allowed within request variables

In a Drupal site, I get this error in my Debian's syslog: suhosin[9413]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'name' (attacker 'x.x.x.x', file '/path/to/index.php') I am wondering whether it indicates…

php attack-vector drupal

asked Mar 25 '13 at 08:06

hnn

997
2
8
12

2

votes

0 answers

What does this potentially malicious php code do?

Somebody hacked my webserver and uploaded many of the following files with random names in different subdirectories of my webroot. The file looks something like this and - even though I managed to beautify it - I am unable to decipher the…

php webserver obfuscation drupal

asked Sep 08 '21 at 10:29

JohnTheWalker

121
1

2

votes

3 answers

How to exploit DRUPAL-SA-CORE-2012-003

I have read the security notices and understand that it "would allow an attacker to reinstall an existing Drupal site with an external database server and then execute custom PHP code". According to Drupal, "re-installation can only be successful if…

exploit drupal

asked Oct 18 '12 at 15:19

Digital fire

3,126
5
31
44

2

votes

0 answers

Drupal logs are reporting 404s from bot visits but I have apache basic auth set up

In the Drupal logs on my dev site there are "page not found" reports that are obviously from a bot trying out well known urls (e.g. /wp-login). But I have set up apache basic auth and I am the only person who knows the password! If I go to those…

apache drupal

asked Feb 20 '19 at 21:59

naomi

121
3

1

vote

0 answers

Is it dangerous to append search query to the base URL?

I'm testing drupal website and I've noticed that search query gets appended to the base URL in the response, like so: query: "hey ho: there" http://www.baseurl.com/search/node/hey ho%3A there query: "dis iz…

exploit encoding drupal directory-traversal

asked Jan 30 '15 at 16:57

Mercurial

111
3

1

vote

1 answer

How much access to the file system does the recent Drupal vulnerability give?

A friends drupal site was hacked. What is strange is that the root directory of the installation at the hosting company (let us call it rootdir) was copied (or renamed) rootdir_hacked and the directory rootdir was left one file index.html saying the…

php file-system drupal

asked Nov 06 '14 at 11:21

Bent

174
6

1

vote

1 answer

Session sync between two web apps on the same domain

I have a Laravel 6 site, and a legacy Drupal 7 site. Both are served under the same domain, and both share the same user database table. I'd like users to be able to log in via Laravel (never via Drupal) and then browse between the two systems…

session-management drupal laravel

asked Feb 11 '20 at 03:57

jeff-h

113
4

Questions tagged [drupal]