Drupal Security

Various attacks and ways to protect site

Presents by Vasily Kraev
Drupal Camp Msk 2014

About me

Sword and shield

• Everything is hackable
• Sometimes has expensive "hack"-cost
• Don't be paranoid, try to balance

The foundation

• Open Web Application Security Project (OWASP)
• Web Application Security Consortium (WASC)

Process

• Gathering info about target
• Attack
• Maybe: backdoor/rootkit
• PROFIT!!!!11

Gathering info

Gathering info

• Google dorks
• HTML source code
• README.txt / INSTALL.txt
  *.txt / css / js indahouse in module
• nmap,  Havij, 
  MetaSploitFramework

Dorks

inurl:CHANGELOG.txt intext:drupal 
intext:"SA-CORE" -intext:7.32 
-site:github.com -site:drupal.org

$databases['default']['default'] = array( password

nmap example on vestaCP

Scanning blablabla.net (xxx.xxx.xxx.xxx) [1000 ports]
Discovered open port 587/tcp on xxx.xxx.xxx.xxx
...
Discovered open port 8443/tcp on xxx.xxx.xxx.xxx
Completed SYN Stealth Scan at 08:40, 1.56s elapsed (1000 total ports)
Initiating OS detection (try #1) against blablabla.net (xxx.xxx.xxx.xxx)
Retrying OS detection (try #2) against blablabla.net (xxx.xxx.xxx.xxx)
Nmap scan report for blablabla.net (xxx.xxx.xxx.xxx)
Host is up (0.058s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
465/tcp  open  smtps
587/tcp  open  submission
2525/tcp open  ms-v-worlds
3306/tcp open  mysql
8080/tcp open  http-proxy
8083/tcp open  us-srv
8443/tcp open  https-alt
Device type: general purpose|WAP|storage-misc|broadband router|media device|phone
Running (JUST GUESSING): Linux 3.X|2.6.X|2.4.X (96%), Asus Linux (93%), HP embedded (91%), Linksys Linux 2.4.X (90%), ......

Attack

You must protect whole server...

Attack

... and human resources too

Attack

• Drupal-specific
• DoS: RAM / HDD / DB
• DDoS
• Non-standart

Drupal bad practice

print "<a href='/node/" . $node->nid . 
      "'>" . $node->title . "</a>";

$result = db_query("UPDATE status FROM {node} 
SET status = " . $status . " WHERE nid = " . $nid);

$nomer = $node->field_nomer['und'][0]['value'];

much better

print l(t('Title:') . check_plain($node->title), $node->path);

$result = db_update('node')
  ->fields(array('status' => 1))
  ->condition('nid', 123)
  ->execute();

Hey, I khow the wrappers!

$wrapper = entity_metadata_wrapper('node', $node);
$title = $wrapper->title->value();
$number = $wrapper->field_number->raw(); 

Use wrappers right!

$wrapper = entity_metadata_wrapper('node', $node);

$title = $wrapper->title->value(array('sanitize' => TRUE));

XSS Risk

• echo() print()
• theme()
• t() and l() without % @
• var_dump() dpm()
• console.log()
• watchdog()
• drupal_set_title() drupal_set_message()
• $form_state values
• Templates (.tpl.php)
• Theme's code
• Preprocess functions
• Validation messages

Remember!

Modules for security

• Secure login
• Password policy
• Paranoia
• Hacked!
• Permissions Lock
• Secure Login
• Security Review
• Two Factor Authentication

Enhancing security

• disable & delete php module
• use git
• use CoderSniffer
• use XSS-test-content + Selenium
• use tests

• Core & Contributed Project Security Advisories

• Writing drupal secure code

• Drupal Security Report

DoS

DoS

Misconfig

• Not closed ports
• One user for apache+php / all sites
• Wrong perms on dirs / config file or .htaccess (iframe, traff redirect, shell)
  AddType application/x-httpd-php .jpg

  Redirect 301 / http://very-bad-site.com/
  
  
  

Wrong configuration (docs nginx linode) 
drupal modules, etc

DDoS

PentagonComp: Yes, my password is "MaoZedong"

Crouching tiger hidden dragon

How hackers hide shells?

php block in DB

jpg.php (+ htaccess)

obfuscation

git (hooks make shell at pull) :)

?

skype: vasilykraev
vk@vkraev.ru

slides.com/vasilykraev/drupal-security