Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DRUPAL SECURITY HOW TO SURVIVE DRUPAGEDDON AND PREPARE FOR FUTURE Created by Kristian Polso / @kristian_polso
ABOUT ME Kristian Polso CTO at Vaiste Productions Been working with Drupal since version 5 Earlier PHP background @kristia...
ABOUT VAISTE PRODUCTIONS Drupal solutions company Based in Turku, Finland Focus on more customized Drupal solutions & inte...
PURPOSE OF THIS PRESENTATION What was Drupageddon and what happened How to prepare for similar vulnerabilities Best practi...
WHAT WAS DRUPAGEDDON? A vulnerability found in Drupal 7's database abstraction API Drupal Security Team was informed of it...
HOW DID DRUPAGEDDON WORK? // includes/database/database.inc foreach (array_filter($args, 'is_array') as $key => $data) {  ...
<input type="text" name="email[email1]" value="email1@address.com"> <input type="text" name="email[email2]" value="email2@...
<input type="text" name="email[email1]" value="email1@address.com"> <input type="text" name="email[0;UPDATE node SET title...
ANY ANONYMOUS USER CAN GET ACCESS TO YOUR SITE'S DATABASE
GO UPDATE YOUR DRUPAL SITE NOW SERIOUSLY, NOW
THE AFTERMATH BBC: "Up to 12 million websites may have been compromised" Some hosting partners were really quick to patch ...
CRAWLING THE TOP 15,000 DRUPAL WEBSITES goo.gl/NPr20o (polso.info) Done in November 2014
IF YOU GOT HACKED Recover from backups drupal.org/project/drupalgeddon
HOW TO BE SAFE FROM SECURITY VULNERABILITIES Keep Drupal core & modules updated Use managed hosting platforms (Acquia, Pla...
BEST PRACTICES
PERMISSIONS Are all roles necessary? Auto-grants Review manually
XSS Text formats Adding nodes (titles, body)
AUTHENTICATION Weak passwords Autologout (d.o/project/autologout) SSL
COMMON SECURITY MISCONFIGURATIONS Admin password? "admin" Never use PHP input Avoid FTP, use SFTP/SCP
VERSIONING Try not to use dev versions in production Thoroughly test
CUSTOM CODE
OPEN SOURCE IS AWESOME Modules can have hundreds users Easy issue tracking
COMMON PITFALLS IN CUSTOM CODE Not properly checking permissions You don't notice your own mistakes
CONCLUSION Update your modules Try not to use dev versions in production Review your custom code
THANK YOU Kristian Polso @kristian_polso
Drupal Security: How to survive Drupalgeddon and prepare for future
Drupal Security: How to survive Drupalgeddon and prepare for future
Upcoming SlideShare
Loading in …5
×

Drupal Security: How to survive Drupalgeddon and prepare for future

2,340 views

Published on

My talk at European Drupal Days 2015 in Milan, Italy.

Drupalgeddon was the single biggest Drupal security vulnerability to date. But it isn’t the only one, as there has been a lot more vulnerabilities with less publicity. In this talk I will explain what happened with Drupalgeddon and how to prepare in future for similar situations. Also we will look at some best practices for securing your Drupal website.

Published in: Internet
no profile picture user
  • Thanks for the detailed information on how to keep code and the whole Drupal based system secure. Additional to coding best practises I would appreciate to get your feedback on a new way to automate Drupal updates with full workflow and deployment integration. If you are interested, there is an upcoming free webinar at www.drop-guard.net/webinar.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Drupal Security: How to survive Drupalgeddon and prepare for future

  1. 1. DRUPAL SECURITY HOW TO SURVIVE DRUPAGEDDON AND PREPARE FOR FUTURE Created by Kristian Polso / @kristian_polso
  2. 2. ABOUT ME Kristian Polso CTO at Vaiste Productions Been working with Drupal since version 5 Earlier PHP background @kristian_polso
  3. 3. ABOUT VAISTE PRODUCTIONS Drupal solutions company Based in Turku, Finland Focus on more customized Drupal solutions & integrations http://vaiste.com / @vaisteprod
  4. 4. PURPOSE OF THIS PRESENTATION What was Drupageddon and what happened How to prepare for similar vulnerabilities Best practices
  5. 5. WHAT WAS DRUPAGEDDON? A vulnerability found in Drupal 7's database abstraction API Drupal Security Team was informed of it in September 2014 Update released on October 15 2014 (Drupal 7.32) Biggest vulnerability in Drupal's history Name given by twitter (#drupageddon)
  6. 6. HOW DID DRUPAGEDDON WORK? // includes/database/database.inc foreach (array_filter($args, 'is_array') as $key => $data) {   foreach ($data as $i => $value) { $args are GET parameters from the user $i are supposed to be keys, as in integers SUPPOSED to be...
  7. 7. <input type="text" name="email[email1]" value="email1@address.com"> <input type="text" name="email[email2]" value="email2@address.com"> $_POST = array(     'email' => array(         'email1' => 'email1@address.com',         'email2' => 'email2@address.com',      ) );
  8. 8. <input type="text" name="email[email1]" value="email1@address.com"> <input type="text" name="email[0;UPDATE node SET title='uh­oh'; ­­]" value="email2@address.com">
  9. 9. ANY ANONYMOUS USER CAN GET ACCESS TO YOUR SITE'S DATABASE
  10. 10. GO UPDATE YOUR DRUPAL SITE NOW SERIOUSLY, NOW
  11. 11. THE AFTERMATH BBC: "Up to 12 million websites may have been compromised" Some hosting partners were really quick to patch Drupal Security Team was super useful
  12. 12. CRAWLING THE TOP 15,000 DRUPAL WEBSITES goo.gl/NPr20o (polso.info) Done in November 2014
  13. 13. IF YOU GOT HACKED Recover from backups drupal.org/project/drupalgeddon
  14. 14. HOW TO BE SAFE FROM SECURITY VULNERABILITIES Keep Drupal core & modules updated Use managed hosting platforms (Acquia, Platform.sh, Pantheon) Writing secure code (drupal.org/writing-secure-code)
  15. 15. BEST PRACTICES
  16. 16. PERMISSIONS Are all roles necessary? Auto-grants Review manually
  17. 17. XSS Text formats Adding nodes (titles, body)
  18. 18. AUTHENTICATION Weak passwords Autologout (d.o/project/autologout) SSL
  19. 19. COMMON SECURITY MISCONFIGURATIONS Admin password? "admin" Never use PHP input Avoid FTP, use SFTP/SCP
  20. 20. VERSIONING Try not to use dev versions in production Thoroughly test
  21. 21. CUSTOM CODE
  22. 22. OPEN SOURCE IS AWESOME Modules can have hundreds users Easy issue tracking
  23. 23. COMMON PITFALLS IN CUSTOM CODE Not properly checking permissions You don't notice your own mistakes
  24. 24. CONCLUSION Update your modules Try not to use dev versions in production Review your custom code
  25. 25. THANK YOU Kristian Polso @kristian_polso

×