Drupal is one of the most famous web development platforms and its utility ranges from personal blogs to corporate website and even government websites like whitehouse.gov and data.gov.uk. The main advantage which a Drupal based website is its capability to handle large number of requests of about 20,000 requests/second. The open-source nature of Drupal allows Drupal developers from different places to contribute in the evolution of the platform and to provide different plug-ins for utilization in a web page. However, even after being a secure platform, there are some issues which pose a serious threat to websites on the Drupal platform. Few of these issues are listed below:
Exposing Configuration Information : In events like “ Page not found ”, a lot of servers display the information about the version of server being used and modules being loaded. This allows hackers to gain an insight into the hierarchical structure of a website directory as well as the modules being used. This information can then be used for un-intended purpose which eventually results into the unauthorized access into the directory at server. Cross-Site Scripting (XSS) : One of the major issues of Drupal is cross-Site Scripting which enables a visitor of the site to inject JavaScript or HTML codes into the web-page . Drupal doesn't usually filter the inputs and a hacker can introduce the malicious code into the application by taking this advantage. This could cause a web-page to send the data to server, which can modify the behavior of the page by executing the malicious code at the server. Insufficient Session Protection : A user can gain access to the node of the web app for which they do not have access permissions. This usually happens when a user is connected to a network where another user is logged in as an authentic user. When the first user, on same network, accesses that page he gains the access of a “logged in” user and the session of the authentic user is hijacked . Using SSL on page or securepages and securepages_prevent_hijack in the page can overcome such problems. Memory Problems : A Drupal code usually works in thread which means Drupal loads each enabled module for each request creating a long-running thread. These long threads create a problem when the number of requests grows above a limit that is higher than the server’s capacity to serve the requests rapidly. This give rise to performance issues in a Drupal based application which is hosted on shared servers .
For developers who are habitual of integrating two different development environments in order to take the advantages of both IDEs then Drupal may not be the best solution for them. Reason for the same is that Drupal is not compatible with other programs or CMSs and requires the implementation of local plug-ins and coding for introducing any functionality.
via Examiner National Edition Gadgets & Tech Channel Articles http://www.examiner.com/article/security-issues-drupal-content-management-system?cid=roadrunner