drupal security: how to survive drupalgeddon and prepare for future (european drupal days 2015)
TRANSCRIPT
© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Drupal Security: How to survive Drupalgeddon and prepare for future
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Media Sponsors
Silver Sponsors
DRUPAL SECURITYHOW TO SURVIVE DRUPAGEDDON AND
PREPARE FOR FUTURECreated by Kristian Polso / @kristian_polso
ABOUT MEKristian Polso
CTO at Vaiste Productions
Been working with Drupal since version 5
Earlier PHP background
@kristian_polso
ABOUT VAISTE PRODUCTIONS
Drupal solutions company
Based in Turku, Finland
Focus on more customized Drupalsolutions & integrations
http://vaiste.com / @vaisteprod
PURPOSE OF THIS PRESENTATIONWhat was Drupageddon and what happened
How to prepare for similar vulnerabilities
Best practices
WHAT WAS DRUPAGEDDON?A vulnerability found in Drupal 7's database abstraction API
Drupal Security Team was informed of it in September 2014
Update released on October 15 2014 (Drupal 7.32)
Biggest vulnerability in Drupal's history
Name given by twitter (#drupageddon)
HOW DID DRUPAGEDDON WORK?// includes/database/database.inc
foreach (array_filter($args, 'is_array') as $key => $data)
foreach ($data as $i => $value)
$args are GET parameters from the user
$i are supposed to be keys, as in integers
SUPPOSED to be...
<input type="text" name="email[email1]" value="[email protected]">
<input type="text" name="email[email2]" value="[email protected]">
$_POST = array(
'email' => array(
'email1' => '[email protected]',
'email2' => '[email protected]',
)
);
<input type="text" name="email[email1]" value="[email protected]">
<input type="text" name="email[0;UPDATE node SET title='uhoh'; ]" value="[email protected]">
ANY ANONYMOUS USER CAN GET ACCESS TO YOUR SITE'SDATABASE
GO UPDATE YOUR DRUPAL SITENOW
SERIOUSLY, NOW
THE AFTERMATHBBC: "Up to 12 million websites may have been
compromised"
Some hosting partners were really quick to patch
Drupal Security Team was super useful
CRAWLING THE TOP 15,000 DRUPALWEBSITES
goo.gl/NPr20o (polso.info)
Done in November 2014
IF YOU GOT HACKEDRecover from backups
drupal.org/project/drupalgeddon
HOW TO BE SAFE FROM SECURITYVULNERABILITIES
Keep Drupal core & modules updated
Use managed hosting platforms (Acquia, Platform.sh,Pantheon)
Writing secure code (drupal.org/writing-secure-code)
BEST PRACTICES
PERMISSIONSAre all roles necessary?
Auto-grants
Review manually
XSSText formats
Adding nodes (titles, body)
AUTHENTICATIONWeak passwords
Autologout (d.o/project/autologout)
SSL
COMMON SECURITYMISCONFIGURATIONS
Admin password? "admin"
Never use PHP input
Avoid FTP, use SFTP/SCP
VERSIONINGTry not to use dev versions in production
Thoroughly test
CUSTOM CODE
OPEN SOURCE IS AWESOMEModules can have hundreds users
Easy issue tracking
COMMON PITFALLS IN CUSTOMCODE
Not properly checking permissions
You don't notice your own mistakes
CONCLUSIONUpdate your modules
Try not to use dev versions in production
Review your custom code
THANK YOUKristian Polso
@kristian_polso