Drupal Security: How to survive Drupalgeddon and prepare for future (European Drupal Days 2015)

© Ibuildings 2014/2015 - All rights reserved

#DrupalDaysEU

Drupal Security: How to survive Drupalgeddon and prepare for future

#DrupalDaysEU

© Ibuildings 2014/2015 - All rights reserved

Gold Sponsors

#DrupalDaysEU

© Ibuildings 2014/2015 - All rights reserved

Media Sponsors

Silver Sponsors

DRUPAL SECURITYHOW TO SURVIVE DRUPAGEDDON AND

PREPARE FOR FUTURECreated by Kristian Polso / @kristian_polso

ABOUT MEKristian Polso

CTO at Vaiste Productions

Been working with Drupal since version 5

Earlier PHP background

@kristian_polso

ABOUT VAISTE PRODUCTIONS

Drupal solutions company

Based in Turku, Finland

Focus on more customized Drupalsolutions & integrations

http://vaiste.com / @vaisteprod

PURPOSE OF THIS PRESENTATIONWhat was Drupageddon and what happened

How to prepare for similar vulnerabilities

Best practices

WHAT WAS DRUPAGEDDON?A vulnerability found in Drupal 7's database abstraction API

Drupal Security Team was informed of it in September 2014

Update released on October 15 2014 (Drupal 7.32)

Biggest vulnerability in Drupal's history

Name given by twitter (#drupageddon)

HOW DID DRUPAGEDDON WORK?// includes/database/database.inc

foreach (array_filter($args, 'is_array') as $key => $data)

foreach ($data as $i => $value)

$args are GET parameters from the user

$i are supposed to be keys, as in integers

SUPPOSED to be...

<input type="text" name="email[email1]" value="email1@address.com">

<input type="text" name="email[email2]" value="email2@address.com">

$_POST = array(

'email' => array(

'email1' => 'email1@address.com',

'email2' => 'email2@address.com',

)

);

<input type="text" name="email[email1]" value="email1@address.com">

<input type="text" name="email[0;UPDATE node SET title='uh­oh'; ­­]" value="email2@address.com">

ANY ANONYMOUS USER CAN GET ACCESS TO YOUR SITE'SDATABASE

GO UPDATE YOUR DRUPAL SITENOW

SERIOUSLY, NOW

THE AFTERMATHBBC: "Up to 12 million websites may have been

compromised"

Some hosting partners were really quick to patch

Drupal Security Team was super useful

CRAWLING THE TOP 15,000 DRUPALWEBSITES

goo.gl/NPr20o (polso.info)

Done in November 2014

IF YOU GOT HACKEDRecover from backups

drupal.org/project/drupalgeddon

HOW TO BE SAFE FROM SECURITYVULNERABILITIES

Keep Drupal core & modules updated

Use managed hosting platforms (Acquia, Platform.sh,Pantheon)

Writing secure code (drupal.org/writing-secure-code)

BEST PRACTICES

PERMISSIONSAre all roles necessary?

Auto-grants

Review manually

XSSText formats

Adding nodes (titles, body)

AUTHENTICATIONWeak passwords

Autologout (d.o/project/autologout)

SSL

COMMON SECURITYMISCONFIGURATIONS

Admin password? "admin"

Never use PHP input

Avoid FTP, use SFTP/SCP

VERSIONINGTry not to use dev versions in production

Thoroughly test

CUSTOM CODE

OPEN SOURCE IS AWESOMEModules can have hundreds users

Easy issue tracking

COMMON PITFALLS IN CUSTOMCODE

Not properly checking permissions

You don't notice your own mistakes

CONCLUSIONUpdate your modules

Try not to use dev versions in production

Review your custom code

THANK YOUKristian Polso

@kristian_polso