Your SlideShare is downloading. ×
Doing Drupal security right
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Doing Drupal security right


Published on

Slides from Drupalcamp Stockholm 2011

Slides from Drupalcamp Stockholm 2011

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Doing Drupal security right Gábor Hojtsy , Acquia May 7th 2011., Drupalcamp StockholmWith special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
  • 2. Why I’m here?• Maintainer for Drupal 6• De-facto member of the security team
  • 3. Why are you here?• Managers?• Site builders?• Themers?• Developers?
  • 4. Are you affected?
  • 5. With relatively simple holes,your administrator user canbe taken over.
  • 6. Open Web Application Security Project’s Top 10 risks Top 10 - 2010.pdf
  • 7. Security misconfiguration
  • 8. Heard of attack?
  • 9. Secure server• Avoid using FTP at all cost (Total Commander is an enemy)• Who do you share your server with? Are you confident? Run other apps?• Keep your OS, PHP, SQL server, etc. up to date
  • 10. Secure Drupal• Is your admin password “admin”?• Look at all “administer *” permissions• “administer filters” can take over a site• Use update.module, watch the security news (Wednesdays)
  • 11. Secure Drupal• Avoid any kind of PHP input, write your own modules instead• Look into using paranoia.module• Watch your input formats (you can be googled)
  • 12. Injection
  • 13. index.php?id=12mysql_query(“UPDATE mytableSET value = ‘”. $value .”’WHERE id = ”. $_GET[‘id’]);
  • 14. Drupal approach• db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array (‘:value’ => $value, ‘:id’ => $id);• If you need to include dynamic table or column names in your query, see db_escape_table()
  • 15. Cross Site Scripting (XSS)
  • 16. index.php?id=12print $_GET[‘id’];$output .= $node->title;Giving full HTML access.
  • 17. 64% likeliness a website hasCross site scripting issues
  • 18. jQuery.get(/user/1/edit, function (data, status) { if (status == success) { var p = /id="edit-user-edit-form-token"value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": user_edit, "form_token": token, "pass[pass1]": hacked, "pass[pass2]": hacked };, payload); } }); Example from Heine Deelstra, Drupal Security team lead
  • 19. Drupal approach• check_plain() to escape text to HTML• check_markup() to format text to HTML• filter_xss() to filter text to HTML• filter_xss_admin() to filter admin text to HTML• node_view($node) instead of $node->body
  • 20. Drupal approach• t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name));• Use Drupal.t(), Drupal.formatPlural() in JS.
  • 21. Always consider thetype of output needed
  • 22. Authentication & sessions
  • 23. • Weak password storage and account management• Session hijacking / fixation• Lack of session timeout / logout
  • 24. Drupal approach• Passwords are stored encrypted• Session IDs changed when permissions change• Drupal works with Apache’s SSL transport• Modules to set certain URLs to use SSL
  • 25. Insecure direct object references
  • 26. index.php?id=12db_query(“SELECT * FROM {node}WHERE nid = :id”, array(‘:id’=> $_GET[‘id’]));
  • 27. Drupal approach• Menu system handles permission checking• user_access(‘administer nodes’, $account)• node_access(‘edit’, $node, $account);• $select->addtag(‘node_access’);• Form API checks for data validity
  • 28. Cross Site Request Forgery (CSRF)
  • 29. <img src=”” />
  • 30.<img src=”” />
  • 31. Drupal approach• Form API works with POST submissions by default (makes it harder)• Form API includes form tokens, requires form retrieval before submission, checks valid values• drupal_valid_token() provided to generate/validate tokens for GET requests
  • 32. Insecurecryptographic storage
  • 33. Drupal approach• Drupal stores user passwords encrypted with a one-way hash• Different randomly generated private key is provided on each site, which can be used to do reversible encryption• Up to you to ensure backups are properly protected
  • 34. Failure to restrict URL access
  • 35. Drupal approach• Menu system uses access callback and access arguments• Continually review permissions
  • 36. Insufficient transport protection
  • 37. Drupal approach• Run Drupal on top of full SSL• Use securepages and securepages_prevent_hijack to wall your important pages• greggles/drupal-and-ssl-multiple- recipes-possible-solutions• Use a valid certificate
  • 38. Unvalidated redirects
  • 39.
  • 40. Drupal approach• Drupal has various internal redirections, which use local paths and generate URLs based on them• Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  • 41. Is Open Source secure?
  • 42. “Open Source is secure”• Open Source makes people look at it• Popularity gets more eyes• There are always more smart people to find and fix problems
  • 43. “Open Source is insecure”• People can equally find holes• Some people (inadvertently) disclose issues in the public• Fix becomes public and can / will be reviewed
  • 44. Is Drupal secure?
  • 45. Developers and users• Drupal APIs are designed to be secure• It is eventually up to programmers to use them that way•• Tools designed for security can still be misconfigured
  • 46. Drupal security teamA team of volunteers working to ensurebest security of Drupal and thousands ofcontributed modules
  • 47. Design. Educate. Fix.
  • 48. What’s supported?• Drupal core and all(!) contributed projects on• Not actively looking for vulnerabilities in contributed modules• Stable releases (development versions only for very popular modules)• Only current and one earlier versions are supported: now 7.x and 6.x
  • 49. Points of contact• Releases at• Reporting issues: node/101494• Reporting cracked sites: http://
  • 50. These slides are (CC) Images used: presentation created by Gábor HojtsyLicensed:
  • 51. Questions?
  • 52. Thank you!Gábor Hojtsy, Acquia @gaborhojtsy