Appnovation Technologies: 4 Drupal Security Issues

Mon, Feb 8, 2010 by Arnold

UPDATE: There is some controversy about 1), see more information here: http://drupal.org/node/475858. As pointed out by some readers, there are other ways to figure out the Drupal version of the site.

While Drupal is a secure system, there are 4 configuration issues that are often overlooked when developing a Drupal site. By following a few easy steps, we can make a Drupal site much less vulnerable.

1) Leaving Drupal Version Information Text Files on Server
A lot of developers forget to delete the Change Log and other text files that come with the Drupal package. By leaving the text files on the server and having them accessible, you enable potential hackers to know about the exact version of Drupal that you are using. Once the hackers know about the version, they can more easily find the exploits to hack into the Drupal site.

2) Cross Site Scripting