Made to Order Software Corporation Logo

security

Protected Node Global Settings

The protected node module has global settings found under:

Administer » Site configuration » Protected node

Protected node Statistics

The page starts with statistics to let you know how pages are protected on your website. All the counts include published and unpublished content.

  • Total nodes — the total number of nodes on your website
  • Unprotected nodes — number of nodes that do not have a password
  • Protected nodes — number of nodes that are current protected by a password
    • Showing title — number of nodes showing their ...

To Do Tokens

The To Do module supports tokens that can be retrieved using the Token module.

The available tokens will generally appear in the list of tokens as found under a text area.

The raw tokens are no representing any security risk. They simply return the raw value instead of a more human representation of the value. For example, when the priority is "High", the raw value is 2.

Insert Node Parameter: override (6-1.3) [special]

WARNING

This parameter is considered a security hazard. There is an option in your format definition that you have to turn on in order for the feature to work. When not selected, override is ignored. Only allow this feature in an input filter where you can trust users 100%.

One can use the override parameter to replace the expected data with their own data. Although one would think using the data directly would work as well, there are cases when this is useful.

By default the InsertNode module gets data from the $node object as defined by the system. At times, the data available in the

How to bypass Drupal strong security?

Interestingly enough, today I received a Security Advisory from Drupal saying that users received an email from a hacker asking them to install a Trojan module on their Drupal system.

I find it quite interesting since, if Drupal wasn't secure, the hackers would not have to ask you to make it unsecure, would they?

However, this shows how many CMS systems introduce a security issue problem to your web server installation since it is required to let your web server execute any one PHP file...

All the files installed on your web server and that are directly accessible from the outside (i.e. ...

jsMath Security Issue

Security Issue

A security issue was found in all versions of jsMath before 2.x-dev for Drupal 6.x of Jul 29, 2010.

You may still securely use older versions of jsMath on private websites and websites were you are the only user (as in, the only one who can log in.)

The Drupal Security Advisory issue is here: https://www.drupal.org/node/854402

Other Problem

There is another problem: jsMath offers a JavaScript function that parses entire web pages (although there are ways to circumvent that problem, the module does not currently make use of those.) The jsMath Drupal module uses the ...

jsMath Installation

Requirements

In order to use the jsMath for displaying mathematics with TeX Drupal 6.x module you need:

Table of Contents Settings

Filter Configuration

At this point, most of the Table of Contents configuration is done in the Table of Contents filter.

This means multiple Input formats allow you to make use of several different configurations.

Insert Node Parameter: repeat (6-1.2) [no content]

The repeat keyword is used to repeat the filtering on the data just inserted. This is particularly useful with the asterisk name or on nodes that do not otherwise include a format that transforms the tags included in themselves.

This let you create nodes that are like macros.

Note that the macro can itself include a repeat in one of its Insert Node tags.1

  • 1. As far as I can tell, this will not create recursive calls, however, if you have a problem with a macro using repeat, try to remove the keyword to see if that solves the problem. If so, let me know by

Insert Node Security Considerations

Although the accessibility of the node and comments are checked, it is a good idea to see this module as a security risk giving users a way to display nodes otherwise forbidden to them.

Because a lot of the data is used unfiltered, it is strongly suggest that you pay very close attention to the order of your filters. If you authorize this module to your users (i.e. where they can select an Input filter that includes this specific filter,) then look into checking the HTML code after this filter. Otherwise, a user could inject some unwanted HTML code1

  • 1. Of course, the inclusion of a node should

Update to Drupal 6.15

In order to keep our Drupal installation secure, we quickly updated to version 6.15.

As far as we know, none of the security issues fixed by Drupal 6.15 would affect any one of our existing customers. Yet, we prefer to be at the top security wise and made the change very quickly, as usual. If you have any question or encounter any problem, let us know. This change was very smooth and did not require any database updates.

I also wanted to mentioned the arrival of our new Web 2.0 hosting system. We are still working on it, but very soon you will be able to jump on the bandwagon and get a ...