The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.
The specific features are:
- Disable granting of the "use PHP for block visibility" permission.
- Disable creation of input formats that use the PHP filter.
- Disable editing the user #1 account.
- Prevent granting risky permissions.
- Disable disabling this module. Yes, that's right you need to go to the database to get rid of it again.
After installing, be sure to visit and save the permissions form to remove all previous grants.
To take full advantage of this module you need to identify any nodes, fields, blocks that use the PHP Filter, alter them to work some other way, and then delete the standard PHP filter at admin/config/content/formats.
Patches in other modules' queues
While paranoia can block some things it's also sometimes possible to improve security in other modules more directly. Please review the issue, apply the patch to test it locally, and consider deploying it to your sites:
- #2329259: Refine import permissions / update php argument access Specifically the 2329259_views_remove_php_access.patch in combination with paranoia disabling the php module, makes it impossible to use php for importing a view or validating/defaulting an argument.
Other security focused projects you may be interested in:
- Security Review module a free tool to find common mistakes in your site configuration
Project information
- Module categories: Security
- 1,894 sites report using this module
- Created by killes@www.drop.org on , updated
- Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
Drupal 10 compatibility.
Development version: 8.x-1.x-dev updated 23 Jun 2023 at 02:54 UTC
Further coverage and better protection to allow integration with more contribs.
Development version: 7.x-1.x-dev updated 25 Mar 2019 at 16:48 UTC