Your SlideShare is downloading. ×
0
Drupal security
             Gábor Hojtsy , Acquia




   February 27. 2010, Drupalcamp Bratislava
With special thanks to ...
Why I’m here?

• Stepping in for Jakub Suchy
• Co-maintainer to Drupal 6
• De-facto member of the security team
Are you affected?
With relatively simple holes,
your administrator user can
be taken over.
Open Web Application
           Security Project’s
              Top 10 risks
http://www.owasp.org/images/0/0f/OWASP_T10_-...
Security misconfiguration
Secure server

• Avoid using FTP at all cost (Total
  Commander is the enemy)
• Who do you share your server with? Are
  y...
Secure Drupal

• Is your admin password “admin”?
• Look at all “administer *” permissions
• “administer filters” can take ...
Secure Drupal

• Avoid any kind of PHP input, write your
  own modules instead
• Watch your input formats (you can be
  go...
Injection
index.php?id=12


mysql_query(“UPDATE mytable
SET value = ‘”. $value .”’
WHERE id = ”. $_GET[‘id’]);
Drupal approach

• db_query(“UPDATE {mytable} SET
  value = ‘%s’ WHERE id = %d”, $value,
  $id);
• If you need to include ...
Cross Site Scripting (XSS)
index.php?id=12
print $_GET[‘id’];


$output .= $node->title;
Giving full HTML access.
66%
  likeliness a website has
 Cross site scripting issues
http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT...
jQuery.get('/user/1/edit',
   function (data, status) {
     if (status == 'success') {
       var p = /id="edit-user-edit...
Drupal approach

• check_plain() to escape text to HTML
• check_markup() to format text to HTML
• filter_xss() to filter t...
Drupal approach
• t(), format_plural() placeholders:
  %name, @url, !insecure

  t(‘%name has a blog at <a
  href=”@url”>@...
Authentication
 & sessions
• Weak password storage and
 account management
• Session hijacking / fixation
• Lack of session timeout /
 logout
Drupal approach

• Passwords are stored encrypted
• Session IDs changed when permissions
  change
• Drupal works with Apac...
Common problem

global $user;
// ....
$user = user_load($uid);
Proper solution

global $user;
// ....
$account = user_load($uid);
Insecure direct object references
index.php?id=12


db_query(“SELECT * FROM {user}
WHERE id = %d”, $_GET[‘id’]);
Drupal approach
• Menu system handles permission checking
• user_access(‘administer nodes’, $account)
• node_access(‘edit’...
Cross Site Request
 Forgery (CSRF)
http://example.com/index.php?
delete=12


<img src=”http://example.com/
index.php?delete=12” />
Drupal approach
• Form API works with POST submissions
  by default (makes it harder)
• Form API includes form tokens, req...
Failure to restrict
   URL access
Drupal approach


• Menu system uses access callback and
  access arguments
• Continually review permissions
Common problem
$items[‘myitem’] = array(
     ‘page callback’ => ‘myfunc’,
  ‘access callback’ =>
user_access(‘access cont...
Proper solution
$items[‘myitem’] = array(
     ‘page callback’ => ‘myfunc’,
  ‘access callback’ =>
‘user_access’,
  ‘acces...
Unvalidated
redirections
http://example.com/index.php?
target=evil.com
Drupal approach

• Drupal has various internal
  redirections, which use local paths and
  generate URLs based on them
• L...
Insecure cryptographic storage
Drupal approach
• Drupal stores user passwords encrypted
  with a one-way hash
• Different randomly generated private
  ke...
Insufficient transport protection
Drupal approach
• Run Drupal on top of full SSL
• Use securepages and
  securepages_prevent_hijack to wall
  your importan...
Is Open Source
    secure?
“Open Source is
       secure”

• Open Source makes people look at it
• Popularity gets more eyes
• There are always more ...
“Open Source is
       insecure”
• People can equally find holes
• Some people (inadvertently) disclose
  issues in the pu...
Is Drupal secure?
Developers and users
• Drupal APIs are designed to be secure
• It is eventually up to programmers to
  use them that way
•...
Drupal security team


A team of volunteers working to ensure
best security of Drupal and thousands of
contributed modules
Design. Educate. Fix.
What’s supported?
• Drupal core and all(!) contributed
  project on drupal.org
• Not actively looking for vulnerabilities
...
Points of contact

• Releases at http://drupal.org/security
• Reporting issues: http://drupal.org/
  node/101494
• Reporti...
These slides are (CC)
                       Images used:
       http://www.flickr.com/photos/rtv/2398561954/
       http:...
Questions?
Thank you!
 Gábor Hojtsy, Acquia
http://twitter.com/gaborhojtsy
Drupal Security from Drupalcamp Bratislava
Upcoming SlideShare
Loading in...5
×

Drupal Security from Drupalcamp Bratislava

1,494

Published on

Drupal Security slides from Drupalcamp Bratislava 2010

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,494
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
51
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Drupal Security from Drupalcamp Bratislava"

  1. 1. Drupal security Gábor Hojtsy , Acquia February 27. 2010, Drupalcamp Bratislava With special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
  2. 2. Why I’m here? • Stepping in for Jakub Suchy • Co-maintainer to Drupal 6 • De-facto member of the security team
  3. 3. Are you affected?
  4. 4. With relatively simple holes, your administrator user can be taken over.
  5. 5. Open Web Application Security Project’s Top 10 risks http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
  6. 6. Security misconfiguration
  7. 7. Secure server • Avoid using FTP at all cost (Total Commander is the enemy) • Who do you share your server with? Are you confident? • Keep your OS, PHP, SQL server, etc. up to date
  8. 8. Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
  9. 9. Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Watch your input formats (you can be googled)
  10. 10. Injection
  11. 11. index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
  12. 12. Drupal approach • db_query(“UPDATE {mytable} SET value = ‘%s’ WHERE id = %d”, $value, $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
  13. 13. Cross Site Scripting (XSS)
  14. 14. index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access.
  15. 15. 66% likeliness a website has Cross site scripting issues http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
  16. 16. jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
  17. 17. Drupal approach • check_plain() to escape text to HTML • check_markup() to format text to HTML • filter_xss() to filter text to HTML • filter_xss_admin() to filter admin text to HTML • node_view($node) instead of $node->body
  18. 18. Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
  19. 19. Authentication & sessions
  20. 20. • Weak password storage and account management • Session hijacking / fixation • Lack of session timeout / logout
  21. 21. Drupal approach • Passwords are stored encrypted • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
  22. 22. Common problem global $user; // .... $user = user_load($uid);
  23. 23. Proper solution global $user; // .... $account = user_load($uid);
  24. 24. Insecure direct object references
  25. 25. index.php?id=12 db_query(“SELECT * FROM {user} WHERE id = %d”, $_GET[‘id’]);
  26. 26. Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • db_query(db_rewrite_sql(‘SELECT title FROM {node} n’)); • Form API checks for data validity
  27. 27. Cross Site Request Forgery (CSRF)
  28. 28. http://example.com/index.php? delete=12 <img src=”http://example.com/ index.php?delete=12” />
  29. 29. Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/validate tokens for GET requests
  30. 30. Failure to restrict URL access
  31. 31. Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
  32. 32. Common problem $items[‘myitem’] = array( ‘page callback’ => ‘myfunc’, ‘access callback’ => user_access(‘access content’), );
  33. 33. Proper solution $items[‘myitem’] = array( ‘page callback’ => ‘myfunc’, ‘access callback’ => ‘user_access’, ‘access arguments’ => array (‘access content’), );
  34. 34. Unvalidated redirections
  35. 35. http://example.com/index.php? target=evil.com
  36. 36. Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  37. 37. Insecure cryptographic storage
  38. 38. Drupal approach • Drupal stores user passwords encrypted with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Up to you to ensure backups are properly protected
  39. 39. Insufficient transport protection
  40. 40. Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions • Use a valid certificate
  41. 41. Is Open Source secure?
  42. 42. “Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
  43. 43. “Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
  44. 44. Is Drupal secure?
  45. 45. Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
  46. 46. Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
  47. 47. Design. Educate. Fix.
  48. 48. What’s supported? • Drupal core and all(!) contributed project on drupal.org • Not actively looking for vulnerabilities in contributed modules • Stable releases and development versions (for very popular modules) • Only current and one earlier versions are supported: now 6.x, 5.x
  49. 49. Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/ node/101494 • Reporting cracked sites: http:// drupal.org/node/213320
  50. 50. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation is © Gábor Hojtsy Licensed: Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
  51. 51. Questions?
  52. 52. Thank you! Gábor Hojtsy, Acquia http://twitter.com/gaborhojtsy
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×