security

Life after the hack: conference video

So your site has been hacked ? Or more likely you wonder what to do when it eventually happens : the video for my "Life after the hack" is now available. From initial diagnosis to return online, with a healthy dose of forensics along the way.

The slides are also available for easier access, but of course absent the extra speaker comments :

If non-admin users can see some user accounts but not others...

After a massive user import to a customer's site, said customer noticed that, while he could see any user profile when logged, he could only see some of them when he was not logged in, receiving an "access denied" on the other accounts.

Now, with the administer users permission, a user can see any profile, so this didn't come into consideration, but since anonymous users could see some profiles and not others, the permissions granting anonymous access to the profiles were obviously set up correctly. So what could be wrong ?

Drupal security from the outside

The OSInet team recently attended Solutions Linux, a trade fair focused on FLOSS, and while chatting with a sales engineer from a company specialized in Typo3, got asked which CMS we used, and of course answered "Drupal".

At that point, that person flinched somehow, acknowledging that Drupal was indeed one of the "Big 3" in the CMS space, along with Typo3 and Joomla, but was plagued with security issues making it rather unfit for professional deployment, as opposed to Typo3, which took security issues seriously. Continuing the discussion, it appeared that company has indeed at least acquired some Drupal knowhow too, due to customer request, but the person doing the criticizing was not directly familiar with Drupal.