SlideShare a Scribd company logo
DRUPAL SECURITY
HOW TO SURVIVE DRUPAGEDDON AND
PREPARE FOR FUTURE
Created by Kristian Polso / @kristian_polso
ABOUT ME
Kristian Polso
CTO at Vaiste Productions
Been working with Drupal since version 5
Earlier PHP background
@kristian_polso
ABOUT VAISTE PRODUCTIONS
Drupal solutions company
Based in Turku, Finland
Focus on more customized Drupal
solutions & integrations
http://vaiste.com / @vaisteprod
PURPOSE OF THIS PRESENTATION
What was Drupageddon and what happened
How to prepare for similar vulnerabilities
Best practices
WHAT WAS DRUPAGEDDON?
A vulnerability found in Drupal 7's database abstraction API
Drupal Security Team was informed of it in September 2014
Update released on October 15 2014 (Drupal 7.32)
Biggest vulnerability in Drupal's history
Name given by twitter (#drupageddon)
HOW DID DRUPAGEDDON WORK?
// includes/database/database.inc
foreach (array_filter($args, 'is_array') as $key => $data) {
  foreach ($data as $i => $value) {
$args are GET parameters from the user
$i are supposed to be keys, as in integers
SUPPOSED to be...
<input type="text" name="email[email1]" value="email1@address.com">
<input type="text" name="email[email2]" value="email2@address.com">
$_POST = array(
    'email' => array(
        'email1' => 'email1@address.com',
        'email2' => 'email2@address.com', 
    )
);
<input type="text" name="email[email1]" value="email1@address.com">
<input type="text" name="email[0;UPDATE node SET title='uh­oh'; ­­]" value="email2@address.com">
ANY ANONYMOUS USER CAN GET ACCESS TO YOUR SITE'S
DATABASE
GO UPDATE YOUR DRUPAL SITE
NOW
SERIOUSLY, NOW
THE AFTERMATH
BBC: "Up to 12 million websites may have been
compromised"
Some hosting partners were really quick to patch
Drupal Security Team was super useful
CRAWLING THE TOP 15,000 DRUPAL
WEBSITES
goo.gl/NPr20o (polso.info)
Done in November 2014
IF YOU GOT HACKED
Recover from backups
drupal.org/project/drupalgeddon
HOW TO BE SAFE FROM SECURITY
VULNERABILITIES
Keep Drupal core & modules updated
Use managed hosting platforms (Acquia, Platform.sh,
Pantheon)
Writing secure code (drupal.org/writing-secure-code)
BEST PRACTICES
PERMISSIONS
Are all roles necessary?
Auto-grants
Review manually
XSS
Text formats
Adding nodes (titles, body)
AUTHENTICATION
Weak passwords
Autologout (d.o/project/autologout)
SSL
COMMON SECURITY
MISCONFIGURATIONS
Admin password? "admin"
Never use PHP input
Avoid FTP, use SFTP/SCP
VERSIONING
Try not to use dev versions in production
Thoroughly test
CUSTOM CODE
OPEN SOURCE IS AWESOME
Modules can have hundreds users
Easy issue tracking
COMMON PITFALLS IN CUSTOM
CODE
Not properly checking permissions
You don't notice your own mistakes
CONCLUSION
Update your modules
Try not to use dev versions in production
Review your custom code
THANK YOU
Kristian Polso
@kristian_polso

More Related Content

Similar to Drupal Security: How to survive Drupalgeddon and prepare for future

Drupal 8 and iOS - an Open Source App
Drupal 8 and iOS - an Open Source AppDrupal 8 and iOS - an Open Source App
Drupal 8 and iOS - an Open Source App
littleMAS
 
Boost your theming skills - Artem Shymko
Boost your theming skills - Artem ShymkoBoost your theming skills - Artem Shymko
Boost your theming skills - Artem Shymko
DrupalCampDN
 
Boost your theming skills
Boost your theming skillsBoost your theming skills
Boost your theming skills
Artem Shymko
 
Hadoop installation, Configuration, and Mapreduce program
Hadoop installation, Configuration, and Mapreduce programHadoop installation, Configuration, and Mapreduce program
Hadoop installation, Configuration, and Mapreduce program
Praveen Kumar Donta
 
OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...
OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...
OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...
eNovance
 
Drupal for beginners - Global Training Days - Cebu 2016
Drupal for beginners - Global Training Days - Cebu 2016Drupal for beginners - Global Training Days - Cebu 2016
Drupal for beginners - Global Training Days - Cebu 2016
Luc Bézier
 
Dev to Delivery with Puppet - PuppetConf 2014
Dev to Delivery with Puppet - PuppetConf 2014Dev to Delivery with Puppet - PuppetConf 2014
Dev to Delivery with Puppet - PuppetConf 2014
Puppet
 
Android | Busy Java Developers Guide to Android: Persistence | Ted Neward
Android | Busy Java Developers Guide to Android: Persistence | Ted NewardAndroid | Busy Java Developers Guide to Android: Persistence | Ted Neward
Android | Busy Java Developers Guide to Android: Persistence | Ted Neward
JAX London
 
EdTechJoker Spring 2020 - Lecture 7 Drupal intro
EdTechJoker Spring 2020 - Lecture 7 Drupal introEdTechJoker Spring 2020 - Lecture 7 Drupal intro
EdTechJoker Spring 2020 - Lecture 7 Drupal intro
Bryan Ollendyke
 
Welcome aboard the team
Welcome aboard the teamWelcome aboard the team
Welcome aboard the team
Roberto Peruzzo
 
Aegir with drupal
Aegir with drupalAegir with drupal
Aegir with drupal
jimyhuang
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Balázs Tatár
 
Drupal Devministration
Drupal DevministrationDrupal Devministration
Drupal Devministration
Darren Mothersele
 
Drupal
DrupalDrupal
Drupal
btopro
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
Power your mobile app with Drupal - Melbourne Mobile, July 2013
Power your mobile app with Drupal - Melbourne Mobile, July 2013Power your mobile app with Drupal - Melbourne Mobile, July 2013
Power your mobile app with Drupal - Melbourne Mobile, July 2013
Chris Ward
 
Building Your Own Drupal Distribution
Building Your Own Drupal DistributionBuilding Your Own Drupal Distribution
Building Your Own Drupal Distribution
Aniket Maithani
 
Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...
Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...
Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...
Ashok Royal
 
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight  - Tampa Bay Data Science - Adnan Masood, PhDSpark with Azure HDInsight  - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Adnan Masood
 
Optimize Site Deployments with Drush (DrupalCamp WNY 2011)
Optimize Site Deployments with Drush (DrupalCamp WNY 2011)Optimize Site Deployments with Drush (DrupalCamp WNY 2011)
Optimize Site Deployments with Drush (DrupalCamp WNY 2011)
Jon Peck
 

Similar to Drupal Security: How to survive Drupalgeddon and prepare for future (20)

Drupal 8 and iOS - an Open Source App
Drupal 8 and iOS - an Open Source AppDrupal 8 and iOS - an Open Source App
Drupal 8 and iOS - an Open Source App
 
Boost your theming skills - Artem Shymko
Boost your theming skills - Artem ShymkoBoost your theming skills - Artem Shymko
Boost your theming skills - Artem Shymko
 
Boost your theming skills
Boost your theming skillsBoost your theming skills
Boost your theming skills
 
Hadoop installation, Configuration, and Mapreduce program
Hadoop installation, Configuration, and Mapreduce programHadoop installation, Configuration, and Mapreduce program
Hadoop installation, Configuration, and Mapreduce program
 
OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...
OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...
OpenStack in Action 4! Julien Niedergang - SUSE Cloud: Openstack Ready for En...
 
Drupal for beginners - Global Training Days - Cebu 2016
Drupal for beginners - Global Training Days - Cebu 2016Drupal for beginners - Global Training Days - Cebu 2016
Drupal for beginners - Global Training Days - Cebu 2016
 
Dev to Delivery with Puppet - PuppetConf 2014
Dev to Delivery with Puppet - PuppetConf 2014Dev to Delivery with Puppet - PuppetConf 2014
Dev to Delivery with Puppet - PuppetConf 2014
 
Android | Busy Java Developers Guide to Android: Persistence | Ted Neward
Android | Busy Java Developers Guide to Android: Persistence | Ted NewardAndroid | Busy Java Developers Guide to Android: Persistence | Ted Neward
Android | Busy Java Developers Guide to Android: Persistence | Ted Neward
 
EdTechJoker Spring 2020 - Lecture 7 Drupal intro
EdTechJoker Spring 2020 - Lecture 7 Drupal introEdTechJoker Spring 2020 - Lecture 7 Drupal intro
EdTechJoker Spring 2020 - Lecture 7 Drupal intro
 
Welcome aboard the team
Welcome aboard the teamWelcome aboard the team
Welcome aboard the team
 
Aegir with drupal
Aegir with drupalAegir with drupal
Aegir with drupal
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
 
Drupal Devministration
Drupal DevministrationDrupal Devministration
Drupal Devministration
 
Drupal
DrupalDrupal
Drupal
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
 
Power your mobile app with Drupal - Melbourne Mobile, July 2013
Power your mobile app with Drupal - Melbourne Mobile, July 2013Power your mobile app with Drupal - Melbourne Mobile, July 2013
Power your mobile app with Drupal - Melbourne Mobile, July 2013
 
Building Your Own Drupal Distribution
Building Your Own Drupal DistributionBuilding Your Own Drupal Distribution
Building Your Own Drupal Distribution
 
Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...
Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...
Detailed presentation on big data hadoop +Hadoop Project Near Duplicate Detec...
 
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight  - Tampa Bay Data Science - Adnan Masood, PhDSpark with Azure HDInsight  - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
 
Optimize Site Deployments with Drush (DrupalCamp WNY 2011)
Optimize Site Deployments with Drush (DrupalCamp WNY 2011)Optimize Site Deployments with Drush (DrupalCamp WNY 2011)
Optimize Site Deployments with Drush (DrupalCamp WNY 2011)
 

Recently uploaded

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 

Recently uploaded (12)

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 

Drupal Security: How to survive Drupalgeddon and prepare for future