Drupal and Security

What you need to know

Presented by

These slides: http://scor.github.io/drupal-security-2015/

Stéphane "scor" Corlosquet

9+ years with Drupal
Drupal Security Team member
RDF in core + contrib
Definitive Guide to Drupal 7
We're hiring

Klaus "Klausi" Purer

Software Engineer, mostly backend
Project application review admin
Drupal Security Team member
REST module in D8 core
Rules module for D8

Lots of things to cover

Server environment
Server config
Personal practices
Drupal Configuration
Code

cover them all a little

General tips

Use HTTPS, SSH, SFTP
Strong password policy
Server – LAMP stack
Require SSH keys
Take & verify your backups
- Sanitize backups for sharing

Secure site configuration

Roles and permissions
Keep your site settings secure
- Text formats
- PHP module
- PHP in other modules

Secure site configuration

File permissions: web server user forbidden to change code
PHP execution: restrict in .htaccess or Nginx config
Drupal handbook for securing your site

Drupal specific hosting

Can your hosting provider help you improve your security process?
Tuned for Drupal security (and performance)
- Code, DB, uploaded files, config
- Managed security updates
  - Remote administration (Acquia & more)

Modules enhancing security

PCI, HIPAA, SOC1, SOC2, SCADA

Be aware of the regulations in your environment
Drupal PCI Compliance Report
Anyone work in HIPAA environment?
FedRAMP/FISMA Certification & Accreditation (C&A)?
Anyone work with Drupal in SCADA environment?

Security process

Ongoing maintenance
Budget for security
Managed hosting
Drupal.org packaging infrastructure

Security process

Drupal Security Team
- Keep Drupal code secure in core and contrib
- Educate the community on security best practices
  - Developers
  - Site builders
  - Site administrators and users
  - Decision makers
- Security Advisory for every security release

Security process

https://www.acquia.com/blog/keeping-drupal-secure

What are the most common issues?

Vulnerabilities by type in core

What are the most common issues?

Vulnerabilities by type in contrib

What is XSS?

Cross Site Scripting
Code in the browser
Making requests
Parsing responses
Javascript, Flash, Java, etc.

Testing for XSS

<script>alert('title');</script>
<img src="a" onerror="alert('title');">
Catches 90%

Fixing XSS?

Filter text
On output to browser
As late as reasonable
Some API filters where reasonable
t() and @text and %text placeholders

Precautions against XSS

What is Access Bypass?

User can see or do something
That permissions/access should prevent

Where do we enforce it?

Menu 'access callback'
if(user_access('see something'));
Node access system
Entity access
Field access
Services & Ajax apis?
In templates

Testing for Access Bypass

Visit node/nid etc.
Visit anything/%node
Use behat

Fixing Access Bypass?

user_access for permissions
node_access
entity_access
$query->addTag('node_access');
menu definitions
write automated tests

What is CSRF?

path that does not confirm intent
<img src="http://example.com/node/1/quickdelete" >

Testing for CSRF

$_GET, $_POST, no use of drupal_get_token()
"verb" menu callbacks without token

Fixing CSRF?

Use Form API: confirmation forms
Send and validate tokens
Protect Against CSRF webinar with greggles

Drupalgeddon - core SQL injection 2014

Exploited within hours after the release
SQL injection lead to arbitrary code execution
Mitigated on large hosting providers such as Acquia and Pantheon
Plan your security updates!
Handbook for how to recover from a breach

Drupal 7

Security improvements

Drupal 7

Stronger password hashing / salt
Login flood control
- prevents brute-force credential guessing
Protected cron
- prevents Denial of Service attacks
Update manager
- Update module from the web UI

Drupal 7 Update Manager

Drupal 7 Update Manager Notifications

Drupal 8

Security improvements

Drupal 8: Twig

Automatically sanitizes strings on output^*

  # Drupal 7
  if (isset($variables['link_path'])) {
    $output = l($variables['name'] . $variables['extra'], $variables['link_path'], $variables['link_options']);
  }
  else {
    $output = '<span' . drupal_attributes($variables['attributes_array']) . '>' . $variables['name'] . $variables['extra'] . '</span>';
  }
  return $output;

  # Drupal 8
  {% if link_path -%}
    <a{{ attributes }}>{{ name }}{{ extra }}</a>
  {%- else -%}
    <span{{ attributes }}>{{ name }}{{ extra }}</span>
  {%- endif -%}

^* https://drupal.org/node/1825952

Drupal 8: Twig

No PHP in templates

{% if link_path -%}
  <a{{ attributes }}>{{ name }}{{ extra }}</a>
{%- else -%}
  <span{{ attributes }}>{{ name }}{{ extra }}</span>
{%- endif -%}

Drupal 8: WYSIWYG in core

Streamlined filter mechanism (server and client side)
No more full HTML as last resort

alt alt

Drupal 8: PHP

Removed PHP module alt alt

Drupal 8: Built-in CSRF tokens

CSRF tokens built in the routing system

# views_ui.routing.yml
views_ui.enable:
  path: '/admin/structure/views/view/{view}/enable'
  defaults:
    _controller: '\Drupal\views_ui\Controller\ViewsUIController::ajaxOperation'
    op: enable
  requirements:
    _entity_access: view.enable
    _csrf_token: 'TRUE'

Drupal 8: lots more hardening

PDO MySQL limited to executing single statements
PHP execution in subfolders forbidden in .htaccess
Clickjacking protection per default with X-Frame-Options
Hashed user session IDs in the DB
Trusted hosts pattern to restrict URL domains
Blog post: 10 Ways Drupal 8 Will Be More Secure

Book on Security in Drupal

References

Sprint on Friday

Sprint with the community on Friday.
We have tasks for every skill set.
Mentors are available for new contributors.
An optional Friday morning workshop for first-time sprinters will help you get set up.
Follow @drupalmentoring