Is there a good resource or list of known fixes for exploits in Drupal (including common modules) that I can use to close up holes in my sites?
I’m using 6.19 on all my sites, as well as making sure that any security updates for modules are installed immediately. Is there anything else I can realistically do? (Such as restricting access to all “/admin” urls to a certain set of IP addresses etc)
I know about the obvious bits, such as filtering user input on forms etc, but I’m wondering if there are other pitfalls I need to worry about…
Just all the common PHP security. In fact, just the top 10 as published by OWASP.
However, Drupal acts as a web-application framework, a little here too.
Drupal has security models and layers in place for all top10 OWASP issues. Allthough A6 (configuration) can go wrong. You will need to understand what you are doing and need to read the online help in Drupals admin in detail. You might open up security holes easily by changing settings, without knowing what they do exactly. For example: I have seen many Drupal sites that switch the default “input format” to e.g. Full HTML, because they think that helps editors, not realising that this makes this format the filter for all content, including comments. Opening up XSS-posting all over the place. Drupals online help mentions this, but people often don’t read that 🙂
Another thing to realise, is that Drupal does not scan code upfront. People must read trough code, and report found security issues, before they are dealt with. If you run many thrid party modules, you can be almost assured at least one of them will have a security hole in them. If you want to avoid that, you must scan yourself, or else avoid such modules alltogether.