Introduction to Drupal security. These slides are based on a presentation I did at Drupal Camp Dallas 2011.

1. Intro into
Drupal Security
@CashWilliams
http://CashWilliams.com

2. What is Security

3. What is Security
• Protecting website data

4. What is Security
• Protecting website data
• Protecting from unauthorized access

5. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification

6. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
• Protecting from destruction

7. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
• Protecting from destruction
• Maintaining access to the data

8. Attack Vectors

9. Attack Vectors
• Drupal Vulnerabilities

10. Attack Vectors
• Drupal Vulnerabilities
• XSS

11. Attack Vectors
• Drupal Vulnerabilities
• XSS
• Access Bypass

12. Attack Vectors
• Drupal Vulnerabilities
• XSS
• Access Bypass
• CSRF

13. Attack Vectors
• Drupal Vulnerabilities
• XSS
• Access Bypass
• CSRF
• SQL Injection

14. Other Attack Vectors

15. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)

16. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System

17. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server

18. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP

19. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL

20. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
• Javascript (Theme, WYSIWYG, etc...)

21. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
• Javascript (Theme, WYSIWYG, etc...)
• Authentication (Facebook, OpenID...)

22. Keep Up to Date
• How to stay informed (Drupal)
• Signup for emails from Security Team
• RSS Feed
• Twitter
• Update Status module - with email
setting

23. Security announcements
from Drupal.org

24. RSS Feeds from
Drupal.org
• http://drupal.org/node/406142
• http://drupal.org/security/rss.xml
• http://drupal.org/security/contrib/
rss.xml
• http://drupal.org/security/psa/rss.xml

25. Drupal Security from
Twitter

26. Update Status Module
• Enable the ‘Update status’ module from
the modules page
/admin/build/modules

27. Update Status Module
• Adjust the settings at
/admin/reports/updates/settings

28. Database Users

29. Database Users
• Use different database users for each site
you run

30. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database

31. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
• Limit hosts a user can connect from
(‘username’@‘localhost’)

32. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
• Limit hosts a user can connect from
(‘username’@‘localhost’)
• Don’t use root!

33. HTTPS

34. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks

35. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module

36. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
• OR .htaccess rule to redirect all traffic

37. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
• OR .htaccess rule to redirect all traffic
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
php_value session.cookie_secure 1

38. Security Modules

39. Security Modules
• securepages &
securepages_prevent_hijack

40. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy

41. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review

42. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review
• salt (Drupal 6 only)

43. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review
• salt (Drupal 6 only)
• login_security (Drupal 6 only)

44. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review
• salt (Drupal 6 only)
• login_security (Drupal 6 only)
• paranoia

45. Secure Pages & Secure
Pages Prevent Hijack
• http://drupal.org/project/securepages
• http://drupal.org/project/
securepages_prevent_hijack (Drupal 6
only)
• Redirects selected pages to use SSL
• Protects a few common pages by default
• Drupal 6 needs session hijack prevention

46. Password Policy
• http://drupal.org/project/
password_policy
• Allows site builders to define a password
complexity level for users
• Also implements a password expiration
feature

47. Security Review
• http://drupal.org/project/
security_review
• Checklist for site security integrated into
your site
• Still relies on you to do the manual work

48. Salt
• http://drupal.org/project/salt
• Adds ‘salt’ to passwords stored in the
database
• Helps fight against dictionary attacks on
password dump
• Not needed for Drupal 7

49. Paranoia
• http://drupal.org/project/paranoia
• Disables granting of the "use PHP for
block visibility" permission
• Disables creation of input formats that
use the PHP filter
• Disables editing the user #1 account
• Disables disabling itself

50. Login Security

51. Login Security
• http://drupal.org/project/login_security
• Drupal 6 only (Built in to Drupal 7 core)
• Limit the number of invalid login
attempts
• Can lock user accounts based on login
failures

52. Input Formats/Filters

53. Input Formats/Filters
• Default Input filter = EVERYONE has
access
• Better Formats module (Only needed for
Drupal 6)
• Some type of filtered input should be
default

54. Input Formats/Filters

55. Input Formats/Filters
• Use HTML filter
• Configure allowed tags
• Dangerous - SCRIPT, IMG, IFRAME, EMBED,
OBJECT, INPUT, LINK, STYLE, META, FRAMESET,
DIV, BASE, TABLE, TR, TD
• WYSIWYG editors - Don’t allow all tags

56. Input Formats/Filters
• PHP Filter module (comes in core)
• Don’t use it!
• Some recommend removing the module
from the code base
• If you do use it, make sure you know who
has access

57. File Uploads
• Don’t allow unsafe uploads
• Both core file uploads and fields/cck files

58. Protect Drupal from
Outside

59. Protect Drupal from
Outside
• Use a firewall to deny access

60. Protect Drupal from
Outside
• Use a firewall to deny access
• Deny access at the web server

61. Protect Drupal from
Outside
• Use a firewall to deny access
• Deny access at the web server
<LocationMatch "/(user|login|admin)/">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
#Example Network 1
Allow from 165.91.200.0/255.255.252.0
...
</LocationMatch>

62. Other Gotchas

63. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable

64. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable
• Leaving a sql dump in a web accessible folder

65. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable
• Leaving a sql dump in a web accessible folder
• Don’t e-mail passwords
• !password token

66. Security Reviews

67. Security Reviews
• Custom Security Review
• https://www.acquia.com/products-
services/acquia-professional-services/
service-offerings