Drupal Security from Drupalcamp Bratislava

  • 1,396 views
Uploaded on

Drupal Security slides from Drupalcamp Bratislava 2010

Drupal Security slides from Drupalcamp Bratislava 2010

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,396
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
50
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Drupal security Gábor Hojtsy , Acquia February 27. 2010, Drupalcamp Bratislava With special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
  • 2. Why I’m here? • Stepping in for Jakub Suchy • Co-maintainer to Drupal 6 • De-facto member of the security team
  • 3. Are you affected?
  • 4. With relatively simple holes, your administrator user can be taken over.
  • 5. Open Web Application Security Project’s Top 10 risks http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
  • 6. Security misconfiguration
  • 7. Secure server • Avoid using FTP at all cost (Total Commander is the enemy) • Who do you share your server with? Are you confident? • Keep your OS, PHP, SQL server, etc. up to date
  • 8. Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
  • 9. Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Watch your input formats (you can be googled)
  • 10. Injection
  • 11. index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
  • 12. Drupal approach • db_query(“UPDATE {mytable} SET value = ‘%s’ WHERE id = %d”, $value, $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
  • 13. Cross Site Scripting (XSS)
  • 14. index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access.
  • 15. 66% likeliness a website has Cross site scripting issues http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
  • 16. jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
  • 17. Drupal approach • check_plain() to escape text to HTML • check_markup() to format text to HTML • filter_xss() to filter text to HTML • filter_xss_admin() to filter admin text to HTML • node_view($node) instead of $node->body
  • 18. Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
  • 19. Authentication & sessions
  • 20. • Weak password storage and account management • Session hijacking / fixation • Lack of session timeout / logout
  • 21. Drupal approach • Passwords are stored encrypted • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
  • 22. Common problem global $user; // .... $user = user_load($uid);
  • 23. Proper solution global $user; // .... $account = user_load($uid);
  • 24. Insecure direct object references
  • 25. index.php?id=12 db_query(“SELECT * FROM {user} WHERE id = %d”, $_GET[‘id’]);
  • 26. Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • db_query(db_rewrite_sql(‘SELECT title FROM {node} n’)); • Form API checks for data validity
  • 27. Cross Site Request Forgery (CSRF)
  • 28. http://example.com/index.php? delete=12 <img src=”http://example.com/ index.php?delete=12” />
  • 29. Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/validate tokens for GET requests
  • 30. Failure to restrict URL access
  • 31. Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
  • 32. Common problem $items[‘myitem’] = array( ‘page callback’ => ‘myfunc’, ‘access callback’ => user_access(‘access content’), );
  • 33. Proper solution $items[‘myitem’] = array( ‘page callback’ => ‘myfunc’, ‘access callback’ => ‘user_access’, ‘access arguments’ => array (‘access content’), );
  • 34. Unvalidated redirections
  • 35. http://example.com/index.php? target=evil.com
  • 36. Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  • 37. Insecure cryptographic storage
  • 38. Drupal approach • Drupal stores user passwords encrypted with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Up to you to ensure backups are properly protected
  • 39. Insufficient transport protection
  • 40. Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions • Use a valid certificate
  • 41. Is Open Source secure?
  • 42. “Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
  • 43. “Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
  • 44. Is Drupal secure?
  • 45. Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
  • 46. Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
  • 47. Design. Educate. Fix.
  • 48. What’s supported? • Drupal core and all(!) contributed project on drupal.org • Not actively looking for vulnerabilities in contributed modules • Stable releases and development versions (for very popular modules) • Only current and one earlier versions are supported: now 6.x, 5.x
  • 49. Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/ node/101494 • Reporting cracked sites: http:// drupal.org/node/213320
  • 50. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation is © Gábor Hojtsy Licensed: Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
  • 51. Questions?
  • 52. Thank you! Gábor Hojtsy, Acquia http://twitter.com/gaborhojtsy