The same checklist could also suggest that no access to the system was available from outside the network. This is partly why I've tried to be so clear and debunk the misconceptions.Įach security approach needs to be weighed up and evaluated in context. I understand why - if you've only seen the keypoints from a security presentation - not hiding site workings would look like a weakness. That's why it's a common warning to not leave your phpinfo() page public. Yeah, to be fair, a quick generic security checklist would usually include some form of system identification lockdown in its top ten ways to try and secure your site. That said, there is no single script that is now, nor do I believe will ever be in the future "bulletproof" with or without the human element. Fact is drupal is created by humans, working on top of other software created by humans, running on hardware built and configured by humans. Some research in this area may aid your understanding on how such attacks work.ĭrupals inbuilt security which is apparently bullet proof! Most attacks are "random" in nature using XSS techniques. This has already been explained, you're just ignoring the explanation. One doesn't have to know which script is running to plan an attack or succeed in one. Without this you cant even begin to plan any attack whatsoever which is my point. I guess I don't understand the idea that if so many high profile sites aren't worried about this, why others would be? If you take a look at some of the largest sites known to be using drupal, including you will find they aren't obfuscating anything and a view of the source code shows those sites using drupal. It's important to note that not every site on the internet uses open source code. If the .uk site is drupal, I'd figure it would have been front page news as all large outfits that have moved to drupal. Seems that many state it is drupal on forums and such with a google search but there are those who state it isn't. If you want to do a total makeover of all your css classes with no drupalisms at all, you can do that too.īut if the question is "I want to make my site safe from script-kiddies by removing the word 'drupal' from the page source" - then the answer is "think again"īased on some research (10 mins tops) using google .uk *may* be using a custom, internally built, content management system. That is a valid complaint, and has work-arounds for. On some hosts a request to /admin does cause conflict between Drupal and a control panel. If you want to custom-structure your site (you already can) then that's a different question, and one which can happily be answered. The only answers to that question are "Why?" and "You shouldn't". Like "How do I make the browser URL show https without setting up a security certificate?". Sometimes the question is just not quite right. It's not quite that "You don't need this functionality" (though I understand you feel that way) - it's that this approach to "security" is fundamentally flawed and therefore not supported by anyone who is willing to attack core and make it happen, even if it were sanely possible. I apologize for beating the horse I just killed, but it's all in the aim of trying to make a point clear for everyone. plus the post above pretty much settles it. I suspect core would have to be hacked to allow you use your own terms and then shift around your website structure to match.ĮDIT:it seems our paranoya will never be understood.he he. I remember seeing somewhere that they use drupal if they do I think they have all our answers!!Īnd I would like to add that I cant find their admin page! one less intruder to worry about. While I dont want to and cant mask it completely it would be nice to have that little piece of mind.įor example .uk, okay which CMS do they use?! Another theing I've been able to login to joomla sites by just 1) looking at their mark up "ah joomla" 2)going to the 'admin login' 3)using a few passwords and bingo! and i dont consider myself a hacker.īuts its not just the security, you want some one to put in a little effort before knowing the in and outs of your system.
0 Comments
Leave a Reply. |