Drupal Security Patches
This isn't actually news, but I'm adding it for reference. In the last few months, and during my work on Drupal (as part of my job or contributions to Drupal), I discovered 2 security vulnerabilities in Drupal core: the first one is an SQL injection vulnerability that I spotted while reviewing access logs for a website I maintain. Some bot was trying to request malicious URLs and one of them triggered an error message in the logs. I investigated and turned out that it was possible to pass input into queries without sanitization in certain cases.
The other one is a cross-site scripting vulnerability. I was analyzing user.module to understand how certain parts worked when I noticed that a variable was printed to page output without passing through filters first.
Both where reported and discussed on the security mailing list, and new versions were released later.
while I am at it, here are a couple of tips:
- Monitor your website access and error logs regularly. This way, you are more likely to notice and stop malicious activities. Linux text processing commands can greatly help in analyzing large log files.
- Keep your web applications up to date, and subscribe to the application's security announcement list (if any). Here's Drupal's security announcements list.
