Samuel Mortenson: Drupal services private file access bypass via IDOR

Planet Drupal - 4. Dezember 2023 - 8:14
There’s a feature in Drupal that not a lot of people know about, but is a great target for security research - private files. Private files allow you to upload files to a non-public directory on your server, then serve them through Drupal instead of through your HTTP server. Drupal is then able to check access for files to determine if the current user can download them.

Samuel Mortenson: Making a multiplayer game with Go and gRPC

Planet Drupal - 4. Dezember 2023 - 8:14
Recently I’ve started to pick up a new programming language, Go, but have struggled to absorb lessons from presentations and tutorials into practical knowledge. My preferred learning method is always to work on a real project, even if it means the finished work has loads of flaws.

Samuel Mortenson: Building my site with Tome and Single File Components

Planet Drupal - 4. Dezember 2023 - 8:14
I've just finished re-building my site using Tome and Single File Components (SFC), two Drupal projects I maintain and wanted to test out on a real site. If you're reading this post, you're already on my new website! Hope it's working OK so far.

Samuel Mortenson: Simplifying Drupal frontend with Single File Components

Planet Drupal - 4. Dezember 2023 - 8:14
I’ve been thinking about ways to make Drupal frontend easier recently, and have been working on an experimental module called Single File Components (SFC), which lets you put your CSS, JS, Twig, and PHP in one file. If you want to skip the blog (????) you can just check out the project at https://www.drupal.org/project/sfc. The main problems with Drupal frontend SFC aims to help with are:

Samuel Mortenson: Static searches with Drupal and Lunr

Planet Drupal - 4. Dezember 2023 - 8:14
As a part of my ongoing work on Tome, a Drupal static site generator, I’ve become interested in providing a solution for static searches. If you have a static site there’s typically no backend to do any server side processing, which means that search has to be done on the client or through a third party service. After researching some existing solutions I found Lunr, a JavaScript based search engine that provides a simple API for indexing and searching content.

Samuel Mortenson: Creating Tome, a static site generator for Drupal 8

Planet Drupal - 4. Dezember 2023 - 8:14
Six months ago I started work on Tome, a static site generator for Drupal 8. After lots of rewrites and long nights, Tome has finally reached the beta phase of testing and development! ???? Up until now, I haven’t invested a lot of time in communicating what I’m doing, why I made Tome, or why static Drupal is hard, so now seems like a good time to stop and reflect on things before I write more code.

Samuel Mortenson: Hijacking Drupal admin accounts using REST

Planet Drupal - 4. Dezember 2023 - 8:14
Note: This exploit was fixed over a year ago as a part of SA-CORE-2017-002/CVE-2017-6919, so unless your Drupal 8 site is really, really out of date, you should not be affected. When I do security research on Drupal core, I tend to focus on one class of vulnerability and pursue that until I find something.

Samuel Mortenson: How I work on Drupal

Planet Drupal - 4. Dezember 2023 - 8:14
I recently celebrated my five-year anniversary on Drupal.org, and wanted to write about how I work on issues day-to-day and my general contribution “vibe”. My Drupal.org account was created the week I started working at Acquia as a part of their employee on-boarding, and I only really used it to search issues and post an occasional comment at first. I know a lot of people in the community have grand stories about how they found Drupal, but mine is rather boring, unfortunately.

Samuel Mortenson: Introducing Twig Components

Planet Drupal - 4. Dezember 2023 - 8:14
Last week I published the Twig Components Drupal module - the latest in a series of projects aiming to combine Twig, Web Components, and PHP. I wanted to write about why I’m doing this work, and why developers should care.

Samuel Mortenson: Getting creative with Drupal XSS

Planet Drupal - 4. Dezember 2023 - 8:14
In the world of web security, cross-site scripting (XSS) vulnerabilities are extremely common, and will continue to be a problem as web applications become increasingly complex. According to a 2016 report by Bugcrowd, a popular bug bounty site, “XSS vulnerabilities account for 66% of valid submissions, followed by 20% categorized as CSRF” (source).

Samuel Mortenson: Chained Drupal CSRF to disable all blocks

Planet Drupal - 4. Dezember 2023 - 8:14
Note: The exploit discussed in this post was never included in a stable core release, so don’t freak out! The Drupal security team quickly fixed this while 8.3.x was still in development. One method I commonly use when auditing Drupal 8 code is to find routes that are accessible to anonymous users, or that check permissions which are commonly assigned to authenticated users. The purpose of this kind of audit is to find an access bypass vulnerability, or a route that is otherwise an easy target for denial of service or remote code execution attacks.

Bericht: KI hilft bei Zielermittlung für israelische Luftangriffe

heise online Newsticker - 4. Dezember 2023 - 8:06

Zwei Medienberichten zufolge setzt die israelische Arme bei der gegenwärtigen Militäroperation im Gaza-Streifen auch auf die Hilfe von KI.

Montag: Amazon nutzt SpaceX für Satelliten-Starts, Bezahlen für WhatsApp-Backup

heise online Newsticker - 4. Dezember 2023 - 7:30

SpaceX-Starts für Amazon + Militärfahrzeug nach SpaceX-Vorbild + Backup-Kosten für WhatsApp + Eliza gegen ChatGPT im Turing-Test + Uni-Reform wegen Chatbots

TechStage | Top 8: Die besten Luftreiniger im Test – Pollen, Feinstaub & Gerüche beseitigen

heise online Newsticker - 3. Dezember 2023 - 21:00

Besser leben trotz Pollenallergie: Luftreiniger filtern Pollen, Feinstaub und andere Schadstoffe aus der Luft und sorgen damit für ein gesundes Raumklima, das nicht nur Allergikern zugutekommt.

Ryzen-5000-Serverboard mit quelloffener Fernwartung OpenBMC

heise online Newsticker - 3. Dezember 2023 - 18:55

Ein niederländischer Programmierer arbeitet an OpenBMC-Firmware für das Ryzen-5000-Mainboard Asrock Rack X570D4U.

Konkurrent hilft aus: Auch SpaceX soll Amazons Kuiper-Satelliten ins All bringen

heise online Newsticker - 3. Dezember 2023 - 18:14

Beim Satelliten-Internet konkurriert Amazons Project Kuiper mit Starlink von SpaceX. Doch nun bestellt Amazon SpaceX-Raketenstarts, um im Plan zu bleiben.

Raspberry Pi 5: Noch ein M.2-SSD-Adapter

heise online Newsticker - 3. Dezember 2023 - 18:00

Auch die britische Firma Pimoroni kündigt eine Adapterplatine an, um eine M.2-SSD mit PCIe-NVMe-Controller an den Raspberry Pi 5 anzuschließen.

TechStage | Ratgeber: Sind Kopfhörer mit Kabel oder Bluetooth besser?

heise online Newsticker - 3. Dezember 2023 - 17:00

Egal, ob Over-Ear, On-Ear oder In-Ear: Kopfhörer mit Kabel haben gegenüber Bluetooth-Kopfhörern einige Vorteile. Techstage zeigt, worauf man beim Kauf achten sollte.

PC-Markt: Wachstum durch KI, ARM und Windows 11

heise online Newsticker - 3. Dezember 2023 - 16:05

Obwohl der PC-Verkauf bei Dell zuletzt deutlich schrumpfte, erwartet Marktbeobachter Canalys fürs vierte Quartal und 2024 Aufschwung.

UEFI-Schwachstelle LogoFAIL: Secure Boot mit manipulierten Bootlogos umgehbar

heise online Newsticker - 3. Dezember 2023 - 15:45

Sicherheitsforscher habe Schwachstellen beim Verarbeiten von Bootlogos auf BIOS/UEFI-Ebene entdeckt. Angreifer können Systeme kompromittieren.