Tuesday, June 28, 2011

Menu XSS when using Vertical Tab Module

When you are using Vertical tab Module, it is vulnerable to XSS. When you provide Javascript in Menu, the javascript in vertical menu executes it. To avoid this modify verticaltabs/js/menu.js as

Drupal.verticalTabs.menu = function() {
     var x = $('#edit-menu-link-title').value;
     if (x != "") { return x; }
     else {   return Drupal.t('Not in menu'); }
Posted by at No comments:
Labels:

Session Management

Configure in settigs.php
       ini_set('max_cookie_lifetime', 900); // 15 minutes
       ini_set('session.gc_maxlifetime',   900); // 15 minutes for garbage collection
       ini_set('session.gc_probability', 1);
       ini_set('session.gc_divisor', 100);
      
Install session_expire module to automate session.
Posted by at No comments:
Labels:

Insecure Cookies

To make Drupal Cookies Secure,
Edit drupal.js  and add  secure; HttpOnly; for has_js cookie
 
If using Indic Script Module, edit  indic_script/js/common.js and modify the function is_set_cookie(name, value, expires, path, domain, secure) {

    var curCookie = name + "=" + escape(value) +
        ((expires) ? "; expires=" + expires.toGMTString() : "") +
        ((path) ? "; path=" + escape(path) : "") +
        ((domain) ? "; domain=" + domain : "") +
        //((secure) ? "; secure" : "");
        "; secure; HttpOnly;"    document.cookie = curCookie;  
}
Posted by at No comments:
Labels:

SSH Without Password


  1. Run the following command on the client
      ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P ''
    File id_dsa and id_dsa.pub will be created inside $HOME/.ssh
  2. Copy the id_dsa.pub to the server's .ssh directory
      ssh-copy-id -i ~/.ssh/id_rsa.pub user@server
  3. You can try ssh to the server from the client and no password will be needed
      ssh user@server
Posted by at No comments:
Labels:

Apache + LDAP

OpenLDAP Should be installed priorly.

In Apache.conf file add the following lines :
LoadModule ldap_module <Path to mod_ldap.so>/mod_ldap.so
LoadModule authnz_ldap_module <Path to mod_authnz_ldap.so>/mod_authnz_ldap.so
<LocationMatch "/login">
    AuthType Basic
    AuthName "Testing"
    AuthBasicProvider "ldap"
    AuthLDAPURL "ldap://host:port/dc=example,dc=org?cn" #
    AuthLDAPBindDN "cn=Manager,dc=example,,dc=org" #
    AuthLDAPBindPassword "123" #
    AuthzLDAPAuthoritative off
    require valid-user
</LocationMatch>

Note: in # marked lines, put your server values.

Restart Apache.
root@otc-desktop:~# /etc/init.d/apache2 reload
Posted by at
Labels:
Subscribe to: Posts (Atom)