SlideShare a Scribd company logo

Drupal security - Configuration and process

Gábor Hojtsy
Gábor Hojtsy

This document discusses Drupal security best practices. It introduces the presenters and defines common security threats like cross-site scripting. It demonstrates how malicious javascript could hijack an admin account. Charts show the most common vulnerabilities and input formats are discussed as a way to control user input. The document stresses keeping software updated, using backups, and following secure development practices.

Technology
1 of 31
Downloaded 37 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
“Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
Tuesday, August 31, 2010
Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
• Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010
http://cph2010.drupal.org/node/12628 Tuesday, August 31, 2010

More Related Content

Similar to Drupal security - Configuration and process (20)

PDF
Practical Open Source Software for Libraries (part 2)
Nicole C. Engard
 
PDF
Html5 Apps
Nikolai Onken
 
PDF
JavaScript Secrets
Patrick Sheridan
 
PDF
The Reluctant SysAdmin : 360|iDev Austin 2010
Voxilate
 
PDF
Operating on a Budget: Ubuntu for Libraries
Nicole C. Engard
 
PDF
Enterprise Drupal
Chapter Three
 
PDF
Pen test for sys admin
sussurro
 
PDF
Drupal Distributions: The Dos and Don'ts:
Development Seed
 
PDF
Hands on puremvc
diomampo
 
PDF
MongoDB is the new MySQL
radamanthus
 
PDF
Noit ocon-2010
Theo Schlossnagle
 
PDF
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Jason Edelstein
 
PDF
Mobile Development with uPortal and Infusion
colinbdclark
 
PPTX
Xml external entities [xxe]
mattymcfatty
 
PDF
Oscon 2010
John Woodell
 
PDF
Joomla PLT Summit Feedback
Chris Davenport
 
PDF
Jeff mc cune sf 2010
Puppet
 
PDF
Html5 apps nikolaionken-08-06
Skills Matter
 
PDF
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
Aditya K Sood
 
PDF
GDD Brazil 2010 - The Open and Social Web
Patrick Chanezon
 
Practical Open Source Software for Libraries (part 2)
Nicole C. Engard
 
Html5 Apps
Nikolai Onken
 
JavaScript Secrets
Patrick Sheridan
 
The Reluctant SysAdmin : 360|iDev Austin 2010
Voxilate
 
Operating on a Budget: Ubuntu for Libraries
Nicole C. Engard
 
Enterprise Drupal
Chapter Three
 
Pen test for sys admin
sussurro
 
Drupal Distributions: The Dos and Don'ts:
Development Seed
 
Hands on puremvc
diomampo
 
MongoDB is the new MySQL
radamanthus
 
Noit ocon-2010
Theo Schlossnagle
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Jason Edelstein
 
Mobile Development with uPortal and Infusion
colinbdclark
 
Xml external entities [xxe]
mattymcfatty
 
Oscon 2010
John Woodell
 
Joomla PLT Summit Feedback
Chris Davenport
 
Jeff mc cune sf 2010
Puppet
 
Html5 apps nikolaionken-08-06
Skills Matter
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
Aditya K Sood
 
GDD Brazil 2010 - The Open and Social Web
Patrick Chanezon
 

More from Gábor Hojtsy (18)

PDF
Open source project management at scale
Gábor Hojtsy
 
PDF
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
PDF
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
PDF
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
PDF
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
PDF
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
PDF
Multilingual Drupal
Gábor Hojtsy
 
PDF
Come for the software, stay for the community
Gábor Hojtsy
 
PDF
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Cologne 2009
Gábor Hojtsy
 
PDF
Here comes localize.drupal.org!
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
PDF
What's up with Drupal 7?
Gábor Hojtsy
 
PDF
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Open source project management at scale
Gábor Hojtsy
 
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
Everything multilingual in Drupal 8
Gábor Hojtsy
 
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
Multilingual Drupal
Gábor Hojtsy
 
Come for the software, stay for the community
Gábor Hojtsy
 
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
Drupal Security from Drupalcamp Cologne 2009
Gábor Hojtsy
 
Here comes localize.drupal.org!
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
What's up with Drupal 7?
Gábor Hojtsy
 
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Ad

Recently uploaded (20)

PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
July Patch Tuesday
Ivanti
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
July Patch Tuesday
Ivanti
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Ad

Drupal security - Configuration and process

  • 1. Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
  • 2. Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
  • 3. Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
  • 4. Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
  • 5. 66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
  • 6. Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
  • 7. Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
  • 8. Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
  • 9. Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
  • 10. Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
  • 11. Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
  • 12. Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
  • 13. No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
  • 14. Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
  • 15. “Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
  • 16. Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
  • 18. Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
  • 19. Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
  • 20. Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
  • 21. Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
  • 22. Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
  • 23. Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
  • 24. Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
  • 25. Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
  • 26. FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
  • 27. SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
  • 28. SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
  • 29. Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
  • 30. Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010