Advertisement
Check these out next
Drupal Security: How to survive Drupalgeddon and prepare for future
Mar. 19, 2015•0 likes•2,735 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Internet
My talk at European Drupal Days 2015 in Milan, Italy. Drupalgeddon was the single biggest Drupal security vulnerability to date. But it isn’t the only one, as there has been a lot more vulnerabilities with less publicity. In this talk I will explain what happened with Drupalgeddon and how to prepare in future for similar situations. Also we will look at some best practices for securing your Drupal website.
Kristian PolsoFollow
CTO at Vaiste ProductionsAdvertisement
Advertisement
Advertisement
Recommended
Drupal Security: How to survive Drupalgeddon and prepare for future (European...Eugenio Minardi
Bridging the gap between business and technology - Behaviour Driven Developme...Eugenio Minardi
Research software and Dataversephilipdurbin
Doing Drupal: Quick Start Deployments via DistributionsThom Bunting
Drupal 8 and iOS - an Open Source ApplittleMAS
Boost your theming skills - Artem ShymkoDrupalCampDN
Drupal Security: How to survive Drupalgeddon and prepare for future
- DRUPAL SECURITY HOW TO SURVIVE DRUPAGEDDON AND PREPARE FOR FUTURE Created by Kristian Polso / @kristian_polso
- ABOUT ME Kristian Polso CTO at Vaiste Productions Been working with Drupal since version 5 Earlier PHP background @kristian_polso
- ABOUT VAISTE PRODUCTIONS Drupal solutions company Based in Turku, Finland Focus on more customized Drupal solutions & integrations http://vaiste.com / @vaisteprod
- PURPOSE OF THIS PRESENTATION What was Drupageddon and what happened How to prepare for similar vulnerabilities Best practices
- WHAT WAS DRUPAGEDDON? A vulnerability found in Drupal 7's database abstraction API Drupal Security Team was informed of it in September 2014 Update released on October 15 2014 (Drupal 7.32) Biggest vulnerability in Drupal's history Name given by twitter (#drupageddon)
- HOW DID DRUPAGEDDON WORK? // includes/database/database.inc foreach (array_filter($args, 'is_array') as $key => $data) { foreach ($data as $i => $value) { $args are GET parameters from the user $i are supposed to be keys, as in integers SUPPOSED to be...
- <input type="text" name="email[email1]" value="email1@address.com"> <input type="text" name="email[email2]" value="email2@address.com"> $_POST = array( 'email' => array( 'email1' => 'email1@address.com', 'email2' => 'email2@address.com', ) );
- <input type="text" name="email[email1]" value="email1@address.com"> <input type="text" name="email[0;UPDATE node SET title='uhoh'; ]" value="email2@address.com">
- ANY ANONYMOUS USER CAN GET ACCESS TO YOUR SITE'S DATABASE
- GO UPDATE YOUR DRUPAL SITE NOW SERIOUSLY, NOW
- THE AFTERMATH BBC: "Up to 12 million websites may have been compromised" Some hosting partners were really quick to patch Drupal Security Team was super useful
- CRAWLING THE TOP 15,000 DRUPAL WEBSITES goo.gl/NPr20o (polso.info) Done in November 2014
- IF YOU GOT HACKED Recover from backups drupal.org/project/drupalgeddon
- HOW TO BE SAFE FROM SECURITY VULNERABILITIES Keep Drupal core & modules updated Use managed hosting platforms (Acquia, Platform.sh, Pantheon) Writing secure code (drupal.org/writing-secure-code)
- BEST PRACTICES
- PERMISSIONS Are all roles necessary? Auto-grants Review manually
- XSS Text formats Adding nodes (titles, body)
- AUTHENTICATION Weak passwords Autologout (d.o/project/autologout) SSL
- COMMON SECURITY MISCONFIGURATIONS Admin password? "admin" Never use PHP input Avoid FTP, use SFTP/SCP
- VERSIONING Try not to use dev versions in production Thoroughly test
- CUSTOM CODE
- OPEN SOURCE IS AWESOME Modules can have hundreds users Easy issue tracking
- COMMON PITFALLS IN CUSTOM CODE Not properly checking permissions You don't notice your own mistakes
- CONCLUSION Update your modules Try not to use dev versions in production Review your custom code
- THANK YOU Kristian Polso @kristian_polso
Advertisement