Drupal and Security: What You Need to Know

Drupal and Security
What you need to know
Stephane Corlosquet
29th September 2015

Stéphane "scor" Corlosquet
9+ years with Drupal
Drupal Security Team member
RDF in core + contrib
Definitive Guide to Drupal 7
We're hiring

Lots of things to cover
Server environment
Server config
Personal practices
Drupal Configuration
Code

A disaster foretold — and ignored

General tips
Use HTTPS, SSH, SFTP
Strong password policy
Server – LAMP stack
Require SSH keys
Take & verify your backups
for sharingSanitize backups

Secure site configuration
Keep your site settings secure
Text formats
PHP module
PHP in other modules
Roles and permissions

Secure site configuration
File permissions: web server user forbidden to change
code
PHP execution: restrict in .htaccess or Nginx config
Drupal handbook for securing your site

Drupal specific hosting
Can your hosting provider help you improve your
security process?
&
Tuned for Drupal security (and performance)
Code, DB, uploaded files, config
Managed security updates
Acquia Cloud Insight
Acquia Remote administration

Modules enhancing security
/
Secure Login
Paranoia
Security Review
Permissions Lock
Hacked!
Password policy Password strength
Two Factor Authentication

PCI, HIPAA, SOC1, SOC2, SCADA
Be aware of the regulations in your environment
Anyone work in HIPAA environment?
FedRAMP/FISMA Certification & Accreditation (C&A)?
Anyone work with Drupal in SCADA environment?
Drupal PCI Compliance Report

Security process
Ongoing maintenance
Budget for security
Managed hosting
Drupal.org packaging infrastructure

Security process
Keep Drupal code secure in core and contrib
Educate the community on security best practices
Developers
Site builders
Site administrators and users
Decision makers
for every security release
Drupal Security Team
Security Advisory

Security process
https://www.acquia.com/blog/keeping-drupal-secure

What are the most common
issues?

What is XSS?
Cross Site Scripting
Code in the browser
Making requests
Parsing responses
Javascript, Flash, Java, etc.

Testing for XSS
<script>alert('title');</script>
<img src="a" onerror="alert('title');">
Catches 90%

Fixing XSS?
Filter text
On output to browser
As late as reasonable
Some API filters where reasonable
t() and @text and %text placeholders

What is Access Bypass?
User can see or do something
That permissions/access should prevent

Where do we enforce it?
Menu 'access callback'
if(user_access('see something'));
Node access system
Entity access
Field access
Services & Ajax apis?
In templates

Testing for Access Bypass
Visit node/nid etc.
Visit anything/%node
Use behat

Fixing Access Bypass?
user_access for permissions
node_access
entity_access
$query->addTag('node_access');
menu definitions
write automated tests

What is CSRF?
path that does not confirm intent
<img src=" " >http://example.com/node/1/quickdelete

Testing for CSRF
$_GET, $_POST, no use of drupal_get_token()
"verb" menu callbacks without token

Fixing CSRF?
Use Form API: confirmation forms
Send and validate tokens
Protect Against CSRF webinar with greggles

Drupalgeddon - core SQL
injection 2014
SQL injection lead to arbitrary code execution
Plan your security updates!
Exploited soon after the release
Mitigated on Acquia Cloud
Handbook for how to recover from a breach

Drupal 7
Security improvements

Drupal 7
Stronger password hashing / salt
Login flood control
prevents brute-force credential guessing
Protected cron
prevents Denial of Service attacks
Update manager
Update module from the web UI

Drupal 7 Update Manager
Notifications

Drupal 8
Security improvements

Drupal 8: Twig
Automatically sanitizes strings on output
# Drupal 7
if (isset($variables['link_path'])) {
$output = l($variables['name'] . $variables['extra'], $variables['link_path'], $variabl
}
else {
$output = '<span' . drupal_attributes($variables['attributes_array']) . '>' . $variable
}
return $output;
# Drupal 8
{% if link_path -%}
<a{{ attributes }}>{{ name }}{{ extra }}</a>
{%- else -%}
<span{{ attributes }}>{{ name }}{{ extra }}</span>
{%- endif -%}

Drupal 8: Twig
No PHP in templates
{% if link_path -%}
<a{{ attributes }}>{{ name }}{{ extra }}</a>
{%- else -%}
<span{{ attributes }}>{{ name }}{{ extra }}</span>
{%- endif -%}

Drupal 8: WYSIWYG in core
Streamlined filter mechanism (server and client side)
No more full HTML as last resort

Drupal 8: PHP
Removed PHP module

Drupal 8: Built-in CSRF tokens
CSRF tokens built in the routing system
# views_ui.routing.yml
views_ui.enable:
path: '/admin/structure/views/view/{view}/enable'
defaults:
_controller: 'Drupalviews_uiControllerViewsUIController::ajaxOperation'
op: enable
requirements:
_entity_access: view.enable
_csrf_token: 'TRUE'

Drupal 8: lots more hardening
PDO MySQL limited to executing single statements
PHP execution in subfolders forbidden in .htaccess
Clickjacking protection per default with X-Frame-
Options
Hashed user session IDs in the DB
Trusted hosts pattern to restrict URL domains
Blog post: 10 Ways Drupal 8 Will Be More Secure

References
Drupal Security Advisories
Drupal Security Team
Drupal Security report
Drupal Security Best Practices guide
DGD7 chapter 6
https://groups.drupal.org/security
Security on docs.acquia.com

Thanks!
Got questions?
Contact
@scorlosquet
scor@acquia.com

Drupal and Security: What You Need to Know

More Related Content

What's hot(20)

Similar to Drupal and Security: What You Need to Know(20)

More from Acquia(20)

Recently uploaded(20)

Drupal and Security: What You Need to Know