This document discusses Drupal security best practices. It introduces the presenters and defines common security threats like cross-site scripting. It demonstrates how malicious javascript could hijack an admin account. Charts show the most common vulnerabilities and input formats are discussed as a way to control user input. The document stresses keeping software updated, using backups, and following secure development practices.

1. Drupal Security
Gábor Hojtsy & Ben Jeavons
24. aug 14:45
VPS.net
Tuesday, August 31, 2010

2. Who we are
• Gábor Hojtsy • Ben Jeavons
• Drupal 6 co-maintainer • Drupal Security Report
• Acquia • Growing Venture Solutions
• Security Team Member • Security Team Member
Tuesday, August 31, 2010

3. Web security
• Protecting resources from abuse
• Protecting data
• Protecting available actions
• Attackers exploit a weakness to do harm
Tuesday, August 31, 2010

4. Demo
• Malicious Javascript is entered
• Admin unknowingly executes
• Javascript alters admin-only settings
• Changes admin password
• Puts site offline
Tuesday, August 31, 2010

5. 66%
likeliness a website has
Cross Site Scripting
http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
Tuesday, August 31, 2010

6. Vulnerabilities by popularity
12%
7%
4%
3%
48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
http://drupalsecurityreport.org
Tuesday, August 31, 2010

7. Lots of risks
• Prioritize your actions
• Secure configuration
• Careful processes
• Keep code up-to-date
• Audit custom code
Tuesday, August 31, 2010

8. Smart configuration
• Control user input
• Input formats
• Trust
• Roles and permissions
Tuesday, August 31, 2010

9. Input formats
• Input formats control what happens when
user-supplied data is displayed
Tuesday, August 31, 2010

10. Input formats
• Filtered HTML for untrusted roles
• Full HTML for completely trusted roles
Tuesday, August 31, 2010

11. Filtered HTML
• HTML filter
• Limits the allowed tags
Tuesday, August 31, 2010

12. Unsafe HTML tags
• Script tags or any that allow JS events
• <script>
• Any that allow URL reference
• <img>
Tuesday, August 31, 2010

13. No image tags?!
• Image tags allow for CSRF attacks
• It’s a matter of trust
• Use CCK & imagefield
• Use control access to Full HTML
Tuesday, August 31, 2010

14. Trust
• Know your roles
• Which users have which roles
• How roles are granted
Tuesday, August 31, 2010

15. “Super-admin”
permissions
• Administer permissions
• Administer users
• Administer filters
• Administer content types
• Administer site configuration
Tuesday, August 31, 2010

16. Trust
• Utilize principle of Least Privilege
• Grant only the necessary permissions to
carry out the required work
Tuesday, August 31, 2010

17. Tuesday, August 31, 2010

18. Recovering from attack
• Restore from backup
• Upgrade to latest security releases
• Change your passwords
• Audit your configuration & custom code
Tuesday, August 31, 2010

19. Backups
• You do have backups, don’t you?
• phpMyAdmin > Export
• mysqldump on the command line
• Be sure to check they worked!
Tuesday, August 31, 2010

20. Open source is secure
• Source code is open for people to look at
• Popularity means eyes on code
• Collaboration increases code quality
Tuesday, August 31, 2010

21. Drupal is secure
• Drupal APIs are designed to be secure
• http://drupal.org/writing-secure-code
Tuesday, August 31, 2010

22. Drupal security team
• Team of volunteers
• Support core and all(!) of contrib
• Not actively reviewing all contrib projects
Tuesday, August 31, 2010

23. Security Advisories
• Only stable project releases
• SAs on Wednesdays
• New core release types
• Bug fix release / Security fix release
Tuesday, August 31, 2010

24. Stay up-to-date
• Know about security updates
• Security Advisories
• Update status module
• Mailing list, RSS, Twitter
• Apply them!
Tuesday, August 31, 2010

25. Security updates
• Most security updates are small
• But not always
• Apply updates to development instance
• Test, then apply to production
Tuesday, August 31, 2010

26. FTP
• Do not use it!
• Common vector for attack
• Really, we’ve moved past plain-text
Tuesday, August 31, 2010

27. SFTP
• “Secure” FTP
• Your host should provide it
• If not, consider a new one
Tuesday, August 31, 2010

28. SSL
• Run Drupal on full SSL
• Use securepages and
securepages_prevent_hijack modules
• http://crackingdrupal.com/blog/greggles/
drupal-and-ssl-multiple-recipes-possible-
solutions-https
• Use a valid certificate
Tuesday, August 31, 2010

29. Security Review
• http://drupal.org/project/security_review
• File system permissions
• Granted “super-admin” permissions
• Input formats
• Allowed upload extensions
• PHP & Javascript in content
Tuesday, August 31, 2010

30. • Security Advisories
• http://drupal.org/security
• Handbooks
• http://drupal.org/security/secure-configuration
• http://drupal.org/writing-secure-code
• Cracking Drupal Book
• http://crackingdrupal.com
• http://www.owasp.org/
Tuesday, August 31, 2010

31. http://cph2010.drupal.org/node/12628
Tuesday, August 31, 2010