Doing Drupal security right from Drupalcon London
6 likes2,415 views
This document summarizes a presentation on doing Drupal security right. It discusses common security issues like SQL injection, cross-site scripting, authentication and session security. It provides the Drupal approach to addressing each issue through secure APIs and modules. It also discusses open source security in general and notes that Drupal security is supported by a volunteer team working to ensure the security of Drupal core and contributed projects.
![index.php?id=12
mysql_query(“UPDATE mytable
SET value = ‘”. $value .”’
WHERE id = ”. $_GET[‘id’]);](https://image.slidesharecdn.com/drupalsecurity2011london-110824052323-phpapp01/85/Doing-Drupal-security-right-from-Drupalcon-London-16-320.jpg)
![index.php?id=12
print $_GET[‘id’];
$output .= $node->title;
Giving full HTML access.
Unsafe tags in other formats.](https://image.slidesharecdn.com/drupalsecurity2011london-110824052323-phpapp01/85/Doing-Drupal-security-right-from-Drupalcon-London-19-320.jpg)
![jQuery.get('/user/1/edit',
function (data, status) {
if (status == 'success') {
var p = /id="edit-user-edit-form-token"
value="([a-z0-9]*)"/;
var matches = data.match(p);
var token = matches[1];
var payload = {
"form_id": 'user_edit',
"form_token": token,
"pass[pass1]": 'hacked',
"pass[pass2]": 'hacked'
};
jQuery.post('/user/1/edit', payload);
}
}
);
Example from Heine Deelstra, Drupal Security team lead
http://heine.familiedeelstra.com/change-password-xss
Technique (with code changes) works up to Drupal 6](https://image.slidesharecdn.com/drupalsecurity2011london-110824052323-phpapp01/85/Doing-Drupal-security-right-from-Drupalcon-London-21-320.jpg)
![index.php?id=12
db_query(“SELECT * FROM {node}
WHERE nid = :id”, array(‘:id’
=> $_GET[‘id’]));](https://image.slidesharecdn.com/drupalsecurity2011london-110824052323-phpapp01/85/Doing-Drupal-security-right-from-Drupalcon-London-29-320.jpg)
Doing Drupal security right from Drupalcon London
- 3. Site Building and Environment Set-up Doing Drupal security right Presented by Gábor Hojtsy, Acquia with special thanks to Greg Knaddison, Four Kitchens and Jakub Suchy
- 4. Why I’m here? • Maintainer for Drupal 6 • De-facto member of the security team
- 5. Why are you here? • Managers? • Site builders? • Themers? • Developers?
- 8. With relatively simple holes, your administrator user can be taken over.
- 11. Heard of the mid- April wordpress.com attack?
- 12. Secure server • Avoid using FTP at all cost, check your client tool • Who do you share your server with? Are you confident? Run other apps? • Keep your OS, PHP, SQL server, etc. up to date
- 13. Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
- 14. Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Look into using paranoia.module • Watch your input formats (you can be googled) • Check out the security_review module.
- 15. Injection
- 16. index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
- 17. Drupal approach • db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array(‘:value’ => $value, ‘:id’ => $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
- 18. Cross Site Scripting (XSS)
- 19. index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access. Unsafe tags in other formats.
- 20. 64% likelihood a website has a Cross site scripting issue https://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvulns_030311.pdf
- 21. jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss Technique (with code changes) works up to Drupal 6
- 22. Drupal approach No No No No URL Plain Rich HTML Trusted check_url() check_plain() check_markup() filter_xss() HTML output
- 23. Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
- 24. Not all output is HTML
- 26. • Weak password storage and account management •Session hijacking / fixation • Lack of session timeout / logout
- 27. Drupal approach • Passwords are stored hashed • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
- 28. Insecure direct object references
- 29. index.php?id=12 db_query(“SELECT * FROM {node} WHERE nid = :id”, array(‘:id’ => $_GET[‘id’]));
- 30. Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • $select->addtag(‘node_access’); • Form API checks for data validity
- 31. Cross Site Request Forgery (CSRF)
- 34. Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/ validate tokens for GET requests
- 35. Insecure cryptographic storage
- 36. Drupal approach • Drupal stores user passwords hashed with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Modules exist to help encrypt more data • Up to you to ensure backups are properly protected
- 37. Failure to restrict URL access
- 38. Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
- 41. Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://drupalscout.com/knowledge-base/ drupal-and-ssl-multiple-recipes- possible-solutions-https • Use a valid certificate
- 44. Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
- 46. Is Open Source secure?
- 47. “Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
- 48. “Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
- 50. Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
- 51. Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
- 53. What’s supported? • Drupal core and all(!) contributed projects on drupal.org • Stable releases (development versions only for very popular modules) • Not actively looking for vulnerabilities in contributed modules • Only current and one earlier versions are supported: now 7.x and 6.x
- 54. Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/node/ 101494 • Reporting cracked sites: http://drupal.org/ node/213320 • Discuss general issues: http:// groups.drupal.org/best-practices-drupal- security
- 56. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation created by Gábor Hojtsy Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
- 57. Questions?
- 59. What did you think?
- 60. What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule
- 61. What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule Click the “Take the survey” link
- 62. What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule Click the “Take the survey” link THANK YOU!