Securing Your Drupal Site

Advice for site builders and coders

Presented by

These slides: http://cardcorp.github.io/drupal-security-intro/

@greggles Knaddison

CARD.com logo

Michael Hess

Michigan Logo
  • Contributed to Drupal for 6+ years
  • Hosts 900 sites at the University of Michigan
  • Works on large scale health care projects.
  • Teaches 3 classes on Content management platforms

Lots of things to cover

Think of this presentation as an overview.

Common Web Vulnerabilities

From Open Web Application Security Project

  1. Injection such as SQL, OS, and LDAP injection.
  2. Broken Authentication and Session Management.
  3. Cross-Site Scripting (XSS).
  4. Insecure Direct Object References.
  5. Security Misconfiguration.
  6. Sensitive Data Exposure.
  7. Missing Function Level Access Control (access bypass).
  8. Cross-Site Request Forgery.
  9. Using Components with Known Vulnerabilities.
  10. Unvalidated Redirects and Forwards.

What are the most common Drupal contrib issues?

Vulnerabilities by type all time

What are the most common issues?

Vulnerabilities by type

Why

The FBI notes that cyber attacks are eclipsing terrorism as the primary threat facing the US.

75% of small and medium business surveyed reported cyber attacks.

A single breach in 2010 reported 38 terabytes of data stolen. That is 2X the size of the Library of Congress.

Everyone gets hacked...

so it must be trendy.

Stories for context

All details have been changed....

The Tale of the Red Ribbon Hacker

Our first tale is about a little online shoe store run by a kind woman named Myrtle.

From her little online store, she mails shoes around the world, and each shoe box comes tied up in a red ribbon like a box of candy.

Background

Myrtle’s Shoe Store website first launched on Nov. 15, 2012.

The site receives about 3,000 orders per month — that’s a lot of ribbons!

On March 11th, 2013...

Myrtle noticed that the shoe store was not receiving any money into its account.

She went online and placed an order. All seemed to work as it should.

Myrtle was so confused, Where was all the money?

What happened

The shoe store’s payment gateway URL configuration was not pointing to its payment gateway.

There was a POST request on the page to change this URL by someone at the company's IP address.

Someone had used a security vulnerability in Ubercart and added Javascript into a field.

Normally the Javascript would be escaped, but since the site was not patched for SA-CONTRIB-2013-020 - Ubercart - Cross site scripting (XSS), the Javascript executed!

Precautions against XSS

Filtering text

Third Story

Our second tale is about Harpers' LLC, a small web development company in upstate New York based out of a stately old house.

Harpers had just started work on a new site two days before. The site was provisioned at a brand-new domain. It was in maintenance mode.

Despite all this, the site was hacked. But how?

How It Began…

On the third day of developing the site, Jeremy, the content manager, was going to set up the content types.

He stopped in horror. The site had viagra spam all over the front page.

Jeremy was not happy.

Call for help

Jeremy called Jean, in-house IT person, who began looking at logs to see how an up-to-date Drupal site got compromised.

On a gray and windy day at the old Harpers’ house, Jean pulled the access logs for the site.

Jean had no idea what had happened, so she restored a backup.

2 days latter, it happened again

What happened?

By default Apache on most OS's will run as a single user.

That user has access to READ all the files for all sites on the system.

Someone had compromised another site on the server.

Server Configuration

Too big to cover well today.

Lots of resources and consultants.

Drupal specific hosting

  • Can your hosting provider help you improve your security process?
  • Drupal Hosts
  • Tuned for Drupal security (and performance)
  • Code, DB, uploaded files, config
  • Managed security updates

Brushing your teeth is a best practice.

Security is a process

  • Ongoing maintenance
  • Budget for security
  • Managed hosting

Know Your Risk Level

Blog vs. complex site. Your blog is likely to be compromised to send spam or to act in part of a bot net.

Your complex site might be compromised for the data it has.

Security is a balance.

Is your site a target?

Know your regulations

  • PCI, HIPAA, SCADA, XYZ, PDQ
  • Be aware of your regulations
  • Drupal PCI Compliance Report
  • Anyone work in HIPAA environment?
  • FedRAMP/FISMA Certification & Accreditation (C&A)?
  • Anyone work with Drupal in SCADA?

Security process

Follow the Drupal Security Team

  • On Twitter (twitter.com/drupalsecurity)
  • Via email (on your drupal.org user edit page under newsletters)
  • Via Web (drupal.org/security and drupal.org/security/contrib)

If you find a security issue...

Or think you find a security issue...

  1. Please use the "Report a security vulnerability" link on all project pages
  2. Or...via email security@drupal.org

Keep Your Site Updated

Always make sure you update after a security release comes out.

General places for mistakes

  • Passwords, sessions
  • Roles and permissions
  • Keep your site settings secure
  • Permissions - Double check
  • Text formats - XSS, PHP
  • PHP module
  • PHP execution in other modules

Modules enhancing security

  1. Security Review (https://drupal.org/project/security_review)
  2. Paranoia (https://drupal.org/project/paranoia)
  3. Newcomer: Password Strength (https://www.drupal.org/project/password_strength) - zxcvbn-based
  4. Two Factor Authentication (https://drupal.org/project/tfa)
  5. Permissions Lock (https://drupal.org/project/permissions_lock)
  6. Hacked! (https://drupal.org/project/hacked)
  7. Password policy (https://drupal.org/project/password_policy)
  8. XSS Tester (https://www.drupal.org/sandbox/matthew.donadio/2319347)
  9. Coder (https://www.drupal.org/project/coder)

Book focused on Security in Drupal

Cracking Drupal Book Cover

Questions

References

DGD7 cover