Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
22. Gaining Admin Access to
Drupal
Already have server access?
!
Drush available?
!
Create a one-time link to log in as an admin…
!
$ cd [drupal directory]
$ drush uli
33. Joomla & WordPress
• Brute Forcing w/ Burp works against WordPress
too!
• Will not work against Joomla…
• Joomla integrates a unique form token per login
request, which is actually verified by the server
(unlike Drupal’s form token) :-P
• Brute forcing can be scripted but will be slow…
34. Uh Oh
New Security Controls in Drupal 7…
Even better in Drupal 8!
42. Application Logging
• CMS logs should be captured and stored
outside of the database to ensure log integrity.
!
• SIEM – Security Information Event Management
43. Drupal
Application Logging
• Watchdog – Drupal’s built in logging, captures
data within the ‘Watchdog’ database table.
• Syslog – Export Drupal’s logs to the Linux
syslog. Creates a flat file that is easy to monitor.
44. WordPress
Application Logging
• Nothing built in… Need to use a plugin which
stores security logs to a database table
• https://wordpress.org/plugins/wp-security-audit-log/
45. Joomla
Application Logging
• Must be configured manually within Joomla’s
configuration and is not enabled by default.
!
• Flat file logging can be set up using JLog!
!
• http://developer.joomla.org/manual/
ch02s05s03.html
46. Authorization
• What are users
allowed to do within
comment fields?
!
• New filtered HTML
tags?
• Full HTML Enabled?
Image: http://musformation.com/pics/trust-but-verify.jpg
51. Drupal File Upload Vuln Fixed?
• Uploading and executing PHP code has been ‘fixed’
in recent versions of Drupal as of November 2013
• https://drupal.org/SA-CORE-2013-003
• Code execution prevention
• (Files directory .htaccess for Apache - Drupal 6
and 7)
• Not exactly… <evil> :-) </evil>
• Drupal 8 Fix? - https://www.drupal.org/node/1587270
52. Insecure WordPress Plugins
• TimThumb - Popular and common plugin!
• v 2.8.13 WebShot Remote Code Execution
• http://www.exploit-db.com/exploits/33851/
53. Insecure Joomla Extensions
• Quite a few… Most interesting is a SQLi in Core
• We’ll Look into this later…
54. Drupal Development
Modules
• Modules that assist with active development
• Remove prior to Test / Staging
• Never leave installed on Production applications
• Picking on…
• Devel — https://drupal.org/project/devel
• Masquerade – https://www.drupal.org/project/
masquerade
56. Devel
• Module used for development
• Should never be installed on production, ever…
• Allows users to view debugging information, including full
database details of application content.
• Also allows for PHP code execution!
66. Closing Thoughts…
• Do your research to better understand your organizational
architecture, servers, applications, log data, etc.
• Pen Test your applications, don’t just scan…
• Update early and often!
• Embed security with development from the beginning.
• Download scripts to augment the penetration testing
process of Drupal applications:
• https://github.com/gfoss/attacking-drupal/