Leaking Information in Drupal URLs

Update: It turns out the DA was trolling. We all now know that DrupalCon North America 2016 will be in New Orleans. I've kept this post up as I believe the information about handling unpublished nodes is relevant. I have also learned that m4032404 is enabled by default in govCMS.

When a user doesn't have access to content in Drupal a 403 forbidden response is returned. This is the case out of the box for unpublished content. The problem with this is that sensitive information may be contained in the URL. A great example of this the DrupalCon site.

The way to avoid this is to use the m4032404 module which changes a 403 response to a 404. This simple module prevents your site leaking information via URLs.

AttachmentSize
DrupalCon-Philadephia.png139.21 KB

Misdirection and Disinformation?

Anonymous wrote:

https://events.drupal.org/cleveland2016

Added Fri, 2015-05-15 08:20

interesting that both

rcross wrote:

interesting that both https://events.drupal.org/cleveland2016 and https://events.drupal.org/philadelphia2016 give an Access Denied, but a typo of https://events.drupal.org/philidelphia2016 provides a 404.

Maybe both are happening :)

Added Fri, 2015-05-15 17:55

Hassle-Free Relocation Services

Akinchan Kumar wrote:

Packers and Movers Pune Charges # http://www.movers5th.in/packers-and-movers-pune/ Packers and Movers Mumbai Charges # http://www.movers5th.in/packers-and-movers-mumbai/ Packers and Movers Delhi Charges # http://www.movers5th.in/packers-and-movers-delhi/

Added Sat, 2016-07-16 17:21

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <p> <div> <blockquote> <pre>

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.