Category Archives: Security Advisories

Drupal Security

Drupal Security: Some Useful and Practical Ideas

Drupal is renowned to be a secure and robust Content Management System. In fact, a good number of Drupal users prefer it only because of its security features and reliability. Drupal security has long been a famous concept in web development.

However, that does not mean Drupal is entirely immune to security threats. With the ever-increasing number of security issues that keep coming up, Drupal security too needs to be taken into account. Hardening your Drupal website is always a good idea.

So, where do you get started with Drupal security? Are there any steps that you can take to harden and secure your Drupal website? This article will provide the answers.

Prelude

First, we need to understand Drupal security threats properly in order to tackle them. What type of Drupal security issues exist, in general?

As many as 41.5% of total security threats faced by Drupal sites tend to be XSS vulnerabilities, also known as cross-site scripting. Naturally, this means you need to focus more on keeping your modules up to date as well as to prevent malicious code injections on your site data.

Thankfully, Drupal Security is a burning topic in itself. The team takes Drupal security very seriously. This infographic provides a brief idea of how security issues are assessed and tackled by the Drupal core team (source):

Drupal Security

You can follow the Drupal Security channel officially for any security threats, advisories as well as updates. Alternatively, you can also get alerted of the same on Twitter:

This way, you will stay updated about Drupal security issues. Got a module that has been compromised? With the right information at the right time, you can prevent it from damaging your website!

Basic Steps

Drupal is only as strong as you make. Here are a few basic steps that you can take to further enhance Drupal security.

  • Always use strong passwords for your administrator account. A complex password can ensure that brute force attacks do not happen on your Drupal site. More importantly, avoid using the default admin username and come up with something that is hard to guess.
  • Make sure you keep your Drupal installation as well as any modules or templates that you use updated to the latest version.
  • It is vital that you use Drupal themes or modules only from reputed sources. For free ones, stick only to the official repository and nowhere else. For premium modules or themes, consider reputed shops and marketplaces.
  • Take regular backups of your website data. This way, if something ever goes wrong, you will be able to resume without losing your content.
  • For connecting to your site, SFTP should always be preferred over FTP, whenever possible. Also, if you have not done so already, try using a CDN that can filter out bad bots, such as CloudFlare.

Database Security

Your Drupal database is a crucial component of your website. Naturally, you must pay special attention to its security.

When installing Drupal, make sure you change your database prefix as well as the table prefix to something other than the default values. If you are installing it via Softaculous, you can easily do it during the installation process itself.

Drupal Security Modules

Pretty much like every stable Content Management System out there, Drupal too comes with its own set of security modules that you can make use of to harden and secure your website.

  • The first Drupal security module that you should install is Security Review. This module analyzes your website and provides a summary of the security issues that you need to fix. Got files that are writable remotely? An outdated theme? Some code files that should not be there? User permissions that can pose a threat? This module will tell you everything you need to know.
  • Secondly, if you need to prevent brute force attacks, the Two-Factor Authentication module can be of use. It can be used to setup two-factor authentication on your Drupal website within minutes.
  • Hacked! is another useful Drupal security module that can compare your core as well as theme and module files against repository versions. This way, if a given file has been changed, it can alert you of the same. If you do not remember making the said change, most likely it is the result of malicious activity.
  • Similarly, Coder can check your Drupal theme and module files for coding standards and security conventions. However, beyond security, it can also assess the coding practices being used in the said modules or themes and is more of a developer’s toolkit.
  • If you are worried about user permissions, Content Access can be used to define permissions and access rules for various user account types. It can help you improve the security of your website by ensuring that user accounts do not have excess privileges on your site’s data.
  • Login Security is a Drupal security module that can be used to limit the number of login attempts. This particular module can also be used to block malicious bots on the basis of IP addresses.

Conclusion

So there you have it. Some easy to implement and very effective security measures for hardening your Drupal website. By following a judicious combination of login security steps, software updates, database security measures as well as making use of helpful modules, you can ensure that your Drupal website remains secure and safe from evil users and bots alike.

Got a Drupal security tip of your own? Share it with the world in the comments below!

Google Docs Phishing – May 3rd 2017 – Be Careful!

Many may already know there is a widespread Google Docs phishing email scam that contains a link that appears to be from someone you may know. We have received numerous messages to our company mailboxes containing these links.

If you’re not familiar with what phishing is, it is a method where a malicious attacker uses a crafted web page, link or similar, to try to trick a user into providing their login information. When this happens, the malicious user then has your login information and can access anything those credentials are being used for.

We would like to alert our customers to this phishing scam and how you can protect your account with us should you become compromised.

  1. Use different passwords for all services
  2. Utilize strong, complex passwords
  3. Enable two-factor authentication when available

We provide the ability to enable two-factor (something you know + something you have) authentication for logging into our support/billing portal, as well as, logging into your cPanel & WHM hosting accounts.

To enable two-factor authentication on our support/billing portal, you can follow our instructions here: https://www.veerotech.net/kb/account-management-portal-two-factor-authentication-billing-support/

To enable two-factor in your cPanel account, you can follow our guide here: https://www.veerotech.net/kb/cpanel-two-factor-authentication-multi-factor-authentication/

There are a number of outlets currently reporting the Google Docs phishing attack, we recommend further reading the blog entry on MalwareBytes: https://blog.malwarebytes.com/cybercrime/2017/05/google-docs-app-spam-goes-phishing/

**Note: We would like to note that the two-factor methods above are not in relation to this phishing incident. We are recommending activating the 2Factor authentication on your accounts with us to further protect your accounts with VeeroTech should you be affected by this attack.**

WordPress 4.2.2 Security and Maintenance Release – Critical

WordPress has released a critical security release that should be updated immediately. From WordPress:

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Full post here: https://wordpress.org/news/2015/05/wordpress-4-2-2/

WordPress WP-Super Cache vulnerability – update immediately!

An important update has been released for the widely used WP-Super Cache content caching plugin for WordPress. The vulnerability has been found by Sucuri, a security company dedicated to testing web applications for security vulnerabilities.

We strongly recommend updating this plugin immediately if you have it installed on your website. You can do this from your WordPress dashboard by simply navigating to Plugins > Installed Plugins > then locating the Super Cache plugin. You will see the upgrade link within the details of the plugin.

WHMCS Security Advisory TSR-2014-0001

WHMCS has released a new update for all supported versions of WHMCS. These updates contain changes that address security concerns within the WHMCS product.

We recommend you update your WHMCS installation(s) as soon as possible.

WHMCS has rated this update as having an important security impact. Information on security ratings can be found athttp://docs.whmcs.com/Security_Levels

Releases
Please update your installation to the one of the following versions:
v5.2.16

Patches – What is a Patch?

Incremental patches can be downloaded by following the provided links below. These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.

The following incremental patches are available for direct download:

5.2.15 –> 5.2.16 http://go.whmcs.com/298/v5215_incremental_to_v5216_patch
MD5 Checksum: 706e352796e91c4f27a40470c83125b8

To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a “Patch Set” which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set

Full Release – What is a Full Release?

A full release distribution contains all the files of a WHMCS product installation. It can be used to perform a new install or update an existing installation (regardless of previous version).

5.2.16 – Downloadable from the WHMCS Members Area
MD5 Checksum: fe2a804ade2bfd69d4107ff8aa1b718b

To apply a full release, download the files as indicated above. Then follow the upgrade instructions for a “Full Release Version” which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version

Important Maintenance Issue Information

This Advisory provides resolution for the following important maintenance issues:

Case #2557 – 2Checkout Gateway: Update to currency variable
Case #2623 – Fix calculations of promotions when more than 50% off
Case #2739 – Add TLD Specific Fields required for .CN domain registrations
Case #2874 – Authorize.net Echeck: Fix capture function behaving incorrectly
Case #3019 – Refine internal criteria for bulk domain lookup
Case #3030 – Resolve SQL error in Income by Product Report
Case #3086 – Nominet Registrar: Update to Contact Registration Logic for Individuals
Case #3116 – Required Custom Fields not validating correctly when using API
Case #3360 – Resolved issue where one time promotions could be treated as recurring
Case #3360 – Disable Recur For input box when Recurring is disabled
Case #3361 – Fix time limited recurring promotions calculating incorrectly
Case #3388 – Fix Invalid Token Error when applying credit in Original and Portal Client Templates
Case #3414 – Payflow Pro: Update to store PayFlow Reference in PayFlow Mode
Case #3617 – Do not CC password reset emails to sub-accounts
Case #3740 – ProtX VSP Form: Pass correct callback values to debug log
Case #3801 – Resolved PDF Quotes missing clients name/address
Case #3802 – Make a quantity of zero remove item from the cart
Case #3809 – Regular Expression Custom Field Validation failing on single quotes
Case #3811 – Resolve Invalid Token error when deleting recurring calendar entry
Case #3814 – Improvements to IPv6 detection and validation logic
Case #3862 – NameCheap Registrar: Fix incorrect function name call
Case #3864 – Authorize.net Echeck: Fix storage of bank account details
Case #3893 – Enom SSL Module: Fix Province is Required Error Message
Case #3922 – PayPal Express: Remove auto-login from Express Checkout Module

Security Issue Information

This Advisory provides resolution for several security issues, all of which were either reported privately via the Security Bounty Program or found internally by the WHMCS Development team as part of the regular on-going internal security audits.

There is no reason to believe that any of these vulnerabilities are known to the public. As such, WHMCS will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, WHMCS will release additional information about the nature of the security issues.

Case #3637 – Improve Access Controls in Project Management Addon
Case #3782 – Improve Access Controls in Tickets
Case #3783 – Improve Access Controls in Invoices
Case #3784 – Resolve Admin Area SQL Injection Vulnerability
Case #3839 – Resolve Potential XSS Vulnerability
Case #3841 – Resolve Potential XSS Vulnerability
Case #3842 – Resolve Potential XSS Vulnerability
Case #3843 – Resolve Potential XSS Vulnerability
Case #3846 – Improve Access Controls in Tickets
Case #3922 – PayPal Express Checkout Improve Validation
Case #3931 – Potential header injection via whois lookups
Case #3932 – Improve sanitization for whois query

All supported versions of WHMCS are affected by one or more of these maintenance and security issues.