".. not allow GET/PUT/PATCH/POST requests to web services resources"
Or you could switch from your buggy Drupal CMS (motto: come for the code, stay for the constant bloody security updates) to a Python CMS such as Django.
Just days after a remote code execution flaw in open-source web publishing software Drupal was made public, researchers have already spotted live exploits in the wild – reinforcing the need for admins to patch and update their sites immediately. As The Register reported last week: "A successful exploit of the vulnerability …
Python isn't magically better than PHP, all stock CMS systems seem to have these sorts of issues. You need to keep them up to date or you're toast.
One of the fun parts of designing web applications is that I get hundreds of automated reports every day of exceptions, Invalides URLs and malformed requests so I see attempted attacks targetting every well known CMS system. This affects all of them, you run stock code, you have to protect yourself against these quick-moving stock exploits.
Django is a framework to build web applications, and to get something usable you'll have to write your own code. Drupal is a true CMS, and you can start using it straight out an install if you don't need specific customizations.
That also means there's much more code in a stock install of Drupal - and thereby the attack surface is larger. No surprise here we have the usual lack of input control passed along technologies like REST were you can pass almost everything you like because the protocol itself has little checks.
With Django, a lot depends on the skills of the developers building on it - its attack surface could be smaller, but what about the code devs add? It's just less in the radar of security experts.
Biting the hand that feeds IT © 1998–2022