Doing Drupal        security right             Gábor Hojtsy , Acquia      May 7th 2011., Drupalcamp StockholmWith special ...
Why I’m here?• Maintainer for Drupal 6• De-facto member of the security team
Why are you here?• Managers?• Site builders?• Themers?• Developers?
Are you affected?
With relatively simple holes,your administrator user canbe taken over.
Open Web Application            Security Project’s                Top 10 riskshttp://owasptop10.googlecode.com/files/OWASP ...
Security misconfiguration
Heard of thewordpress.com   attack?
Secure server• Avoid using FTP at all cost (Total  Commander is an enemy)• Who do you share your server with? Are  you con...
Secure Drupal• Is your admin password “admin”?• Look at all “administer *” permissions• “administer filters” can take over...
Secure Drupal• Avoid any kind of PHP input, write your  own modules instead• Look into using paranoia.module• Watch your i...
Injection
index.php?id=12mysql_query(“UPDATE mytableSET value = ‘”. $value .”’WHERE id = ”. $_GET[‘id’]);
Drupal approach• db_query(“UPDATE {mytable} SET  value = :value WHERE id = :id”, array  (‘:value’ => $value, ‘:id’ => $id)...
Cross Site Scripting (XSS)
index.php?id=12print $_GET[‘id’];$output .= $node->title;Giving full HTML access.
64% likeliness a website hasCross site scripting issueshttps://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvu...
jQuery.get(/user/1/edit,   function (data, status) {     if (status == success) {       var p = /id="edit-user-edit-form-t...
Drupal approach• check_plain() to escape text to HTML• check_markup() to format text to HTML• filter_xss() to filter text ...
Drupal approach• t(), format_plural() placeholders:  %name, @url, !insecure  t(‘%name has a blog at <a  href=”@url”>@url</...
Always consider thetype of output needed
Authentication & sessions
• Weak password storage and account management• Session hijacking / fixation• Lack of session timeout / logout
Drupal approach• Passwords are stored encrypted• Session IDs changed when permissions  change• Drupal works with Apache’s ...
Insecure direct object references
index.php?id=12db_query(“SELECT * FROM {node}WHERE nid = :id”, array(‘:id’=> $_GET[‘id’]));
Drupal approach• Menu system handles permission checking• user_access(‘administer nodes’, $account)• node_access(‘edit’, $...
Cross Site Request Forgery (CSRF)
<img src=”http://example.com/user/logout” />
http://example.com/index.php?delete=12<img src=”http://example.com/index.php?delete=12” />
Drupal approach• Form API works with POST submissions  by default (makes it harder)• Form API includes form tokens, requir...
Insecurecryptographic    storage
Drupal approach• Drupal stores user passwords encrypted  with a one-way hash• Different randomly generated private  key is...
Failure to restrict   URL access
Drupal approach• Menu system uses access callback and  access arguments• Continually review permissions
Insufficient transport protection
Drupal approach• Run Drupal on top of full SSL• Use securepages and  securepages_prevent_hijack to wall  your important pa...
Unvalidated redirects
http://example.com/index.php?target=evil.com
Drupal approach• Drupal has various internal  redirections, which use local paths and  generate URLs based on them• Look f...
Is Open Source    secure?
“Open Source is       secure”• Open Source makes people look at it• Popularity gets more eyes• There are always more smart...
“Open Source is       insecure”• People can equally find holes• Some people (inadvertently) disclose  issues in the public...
Is Drupal secure?
Developers and users• Drupal APIs are designed to be secure• It is eventually up to programmers to  use them that way• htt...
Drupal security teamA team of volunteers working to ensurebest security of Drupal and thousands ofcontributed modules
Design. Educate. Fix.
What’s supported?• Drupal core and all(!) contributed  projects on drupal.org• Not actively looking for vulnerabilities  i...
Points of contact• Releases at http://drupal.org/security• Reporting issues: http://drupal.org/  node/101494• Reporting cr...
These slides are (CC)                       Images used:       http://www.flickr.com/photos/rtv/2398561954/       http://w...
Questions?
Thank you!Gábor Hojtsy, Acquia     @gaborhojtsy
Doing Drupal security right
Doing Drupal security right
Upcoming SlideShare
Loading in...5
×

Doing Drupal security right

2,238

Published on

Slides from Drupalcamp Stockholm 2011

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,238
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
91
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Doing Drupal security right"

  1. 1. Doing Drupal security right Gábor Hojtsy , Acquia May 7th 2011., Drupalcamp StockholmWith special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
  2. 2. Why I’m here?• Maintainer for Drupal 6• De-facto member of the security team
  3. 3. Why are you here?• Managers?• Site builders?• Themers?• Developers?
  4. 4. Are you affected?
  5. 5. With relatively simple holes,your administrator user canbe taken over.
  6. 6. Open Web Application Security Project’s Top 10 riskshttp://owasptop10.googlecode.com/files/OWASP Top 10 - 2010.pdf
  7. 7. Security misconfiguration
  8. 8. Heard of thewordpress.com attack?
  9. 9. Secure server• Avoid using FTP at all cost (Total Commander is an enemy)• Who do you share your server with? Are you confident? Run other apps?• Keep your OS, PHP, SQL server, etc. up to date
  10. 10. Secure Drupal• Is your admin password “admin”?• Look at all “administer *” permissions• “administer filters” can take over a site• Use update.module, watch the security news (Wednesdays)
  11. 11. Secure Drupal• Avoid any kind of PHP input, write your own modules instead• Look into using paranoia.module• Watch your input formats (you can be googled)
  12. 12. Injection
  13. 13. index.php?id=12mysql_query(“UPDATE mytableSET value = ‘”. $value .”’WHERE id = ”. $_GET[‘id’]);
  14. 14. Drupal approach• db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array (‘:value’ => $value, ‘:id’ => $id);• If you need to include dynamic table or column names in your query, see db_escape_table()
  15. 15. Cross Site Scripting (XSS)
  16. 16. index.php?id=12print $_GET[‘id’];$output .= $node->title;Giving full HTML access.
  17. 17. 64% likeliness a website hasCross site scripting issueshttps://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvulns_030311.pdf
  18. 18. jQuery.get(/user/1/edit, function (data, status) { if (status == success) { var p = /id="edit-user-edit-form-token"value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": user_edit, "form_token": token, "pass[pass1]": hacked, "pass[pass2]": hacked }; jQuery.post(/user/1/edit, payload); } }); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
  19. 19. Drupal approach• check_plain() to escape text to HTML• check_markup() to format text to HTML• filter_xss() to filter text to HTML• filter_xss_admin() to filter admin text to HTML• node_view($node) instead of $node->body
  20. 20. Drupal approach• t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name));• Use Drupal.t(), Drupal.formatPlural() in JS.
  21. 21. Always consider thetype of output needed
  22. 22. Authentication & sessions
  23. 23. • Weak password storage and account management• Session hijacking / fixation• Lack of session timeout / logout
  24. 24. Drupal approach• Passwords are stored encrypted• Session IDs changed when permissions change• Drupal works with Apache’s SSL transport• Modules to set certain URLs to use SSL
  25. 25. Insecure direct object references
  26. 26. index.php?id=12db_query(“SELECT * FROM {node}WHERE nid = :id”, array(‘:id’=> $_GET[‘id’]));
  27. 27. Drupal approach• Menu system handles permission checking• user_access(‘administer nodes’, $account)• node_access(‘edit’, $node, $account);• $select->addtag(‘node_access’);• Form API checks for data validity
  28. 28. Cross Site Request Forgery (CSRF)
  29. 29. <img src=”http://example.com/user/logout” />
  30. 30. http://example.com/index.php?delete=12<img src=”http://example.com/index.php?delete=12” />
  31. 31. Drupal approach• Form API works with POST submissions by default (makes it harder)• Form API includes form tokens, requires form retrieval before submission, checks valid values• drupal_valid_token() provided to generate/validate tokens for GET requests
  32. 32. Insecurecryptographic storage
  33. 33. Drupal approach• Drupal stores user passwords encrypted with a one-way hash• Different randomly generated private key is provided on each site, which can be used to do reversible encryption• Up to you to ensure backups are properly protected
  34. 34. Failure to restrict URL access
  35. 35. Drupal approach• Menu system uses access callback and access arguments• Continually review permissions
  36. 36. Insufficient transport protection
  37. 37. Drupal approach• Run Drupal on top of full SSL• Use securepages and securepages_prevent_hijack to wall your important pages• http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions• Use a valid certificate
  38. 38. Unvalidated redirects
  39. 39. http://example.com/index.php?target=evil.com
  40. 40. Drupal approach• Drupal has various internal redirections, which use local paths and generate URLs based on them• Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  41. 41. Is Open Source secure?
  42. 42. “Open Source is secure”• Open Source makes people look at it• Popularity gets more eyes• There are always more smart people to find and fix problems
  43. 43. “Open Source is insecure”• People can equally find holes• Some people (inadvertently) disclose issues in the public• Fix becomes public and can / will be reviewed
  44. 44. Is Drupal secure?
  45. 45. Developers and users• Drupal APIs are designed to be secure• It is eventually up to programmers to use them that way• http://drupal.org/writing-secure-code• Tools designed for security can still be misconfigured
  46. 46. Drupal security teamA team of volunteers working to ensurebest security of Drupal and thousands ofcontributed modules
  47. 47. Design. Educate. Fix.
  48. 48. What’s supported?• Drupal core and all(!) contributed projects on drupal.org• Not actively looking for vulnerabilities in contributed modules• Stable releases (development versions only for very popular modules)• Only current and one earlier versions are supported: now 7.x and 6.x
  49. 49. Points of contact• Releases at http://drupal.org/security• Reporting issues: http://drupal.org/ node/101494• Reporting cracked sites: http:// drupal.org/node/213320
  50. 50. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/This presentation created by Gábor HojtsyLicensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
  51. 51. Questions?
  52. 52. Thank you!Gábor Hojtsy, Acquia @gaborhojtsy
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×