Security

Here are the slides from my session "Securing your Drupal site" that I held at drupalcamp.at. Topic that I tried to cover was so huge that it just wasn't possible to manage it in 45min, and I just barely scratch the surface.

There are certainly not many Linux viruses (at least compared to Windows platform) but it seems that Linux viruses have very long life. After 6 years Rst-B is still active and not only that, it also is responsible for infecting of 70% of Linux servers: 

Anybody used og module for Drupal knows what powerfully features this modules give users - ability to organize themselves in public groups, private groups... Private groups gives your Drupal users opportunity to share content only accessible to other group members. BUT user will be maybe tempted to think that file attachments to private group nodes are also private, and that is off course very wrong. Drupal stores files in to publicly available 'files' folder. Every node file attachment is available with next url http://drupalsite/files/somefile.txt.

Today I stumble on this very scary story. In short David Airey domen was stolen by a cracker who used "multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list". Then evil hacker requested 650$ to return domen to David.

While browsing Pardus main site for finding more info about this nice distro I stumble on very nice blog post "About security ninjas" :)

What is a security ninja? Well, hard to define them actually. They are superior beings that are able to handle huge armies of bugs single-handedly.