Drupal security note12/5/2023 ![]() ![]() If the site is hosted on Pantheon and there’s only one domain, you should choose the primary domain in the dashboard and redirect via hsts will happen by default. htaccess so redirect should happen in this file with some code like this: # Exclude domains. This redirect can be done in different ways depending on your site and hosting platform. This will make communications more secure and avoid cases where you’re logged in to HTTP but not HTTP or the other way around. Redirection to HTTPSĮnsure that if someone enters a HTTP address, it will be redirected to HTTPS. It’s always recommended to rely on something that you know and something that you have to secure the authentication for a site or application. The Two-factor Authentication (TFA) module permits the use (and force) of a second factor to login to your Drupal site. Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903.Time to rethink mandatory password changes.You can read a bit more about this in the following links: They argue that sometimes, these policies do more harm than good. However, it’s good to note that some prominent figures in cybersecurity are starting to speak against frequent password expiration policies. (Optional) Password strength: the Password Strength module allows to require at least some level of strength for the password based on some predefined metrics.Īlso, password expiration time could be added into the mix if the client thinks it’s needed.Password length: password should be at least X characters long.Character types: use at least X character types.Password history: last X passwords can’t be repeated.Password username: username should not be part of the password.We recommend setting the following policies: It’s recommended to install it to force users to change the passwords frequently and to use secure passwords. The Password Policy module allows developers to configure some politics to make the passwords more secure. Here are some of our team's best practices and essential modules to secure any new Drupal installation. The other issue impacts a third-party plugin named WebSpellChecker Dialog plugin that is included in the Standard and Full presets of CKEditor 4. This issue could be exploited by an attacker that tricks the victim into switching CKEditor to source mode, pasting malicious code, switching back to WYSIWYG mode, and previewing the content on a page where the WebSpellChecker Dialog plugin files are available.Every application or website exposed to the internet is susceptible to be exploited by malicious users. ![]() The risk of exploitation of the flaws could be mitigated by disabling the CKEditor module.Īccording to the release note published by CKEditor 4.14 the flaws are not easy to exploit.įor example, one of the XSS flaws affects the HTML data processor, it could be exploited by tricking the victims into pasting malicious HTML code into the editor, either in WYSIWYG mode or source mode. ![]() The latest versions of Drupal, versions 8.8.4 or 8.7.12, include CKEditor version 4.14 that fix both issues.ĭrupal 8 versions prior to 8.7.x have reached end-of-life and will not receive security updates, Drupal 7 is not affected by the issue, but it is recommended the use of CKEditor version 4.14 or higher. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.”īoth issues have been rated as a moderately critical severity, they received a risk score of 13/25. “Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. “The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.” reads the advisory published by Drupal. Drupal uses CKEditor, it has updated to version 4.14, which addressed two cross-site scripting (XSS) vulnerabilities. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |