Benji Fisher
July 09, 2022 - DrupalCamp Asheville
Usability group, Migration subsystem, Security team (provisional member)
Build. Grow. Protect.
Find a link to this presentation on my GitLab Pages:
These slides borrow from some of Peter Wolanin’s “Cracking Drupal” presentations and from https://owasp.org/. According to the standard footer,
Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy.
All of my slide decks have a similar license.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.
source: https://owasp.org/
OWASP is not Drupal-specific. Let’s “get off the island”!
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
source: https://owasp.org/www-project-top-ten/
The list is updated every few years. The most recent version is from 2021.
Drupal is a web-based content management system (CMS):
Enter data in my forms. I will save it to the database, then generate web pages.
Hacker:
Sounds great. Let’s get started!
The Drupal community is one of the largest open source communities in the world. We’re more than 1,000,000 passionate developers, designers, trainers, strategists, coordinators, editors, and sponsors working together.
source: https://www.drupal.org/about
The security team is an all-volunteer group of individuals who work to improve the security of the Drupal project. Members of the team come from countries across 3 continents … The team was formalized in 2005 with a mailing list and has had 3 team leads in that time period.
One site had custom access control for /user/1/edit
. The
access function left off a “not” and granted access to anyone
except User 1.
Q: How to protect yourself?
How do you avoid horror stories?
If customers knew the true cost of custom code, they would ask for less of it.
<img src="https://example.com/node/123/delete">
Questions:
.../edit
,
.../delete
, and more.The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.
Solution: upgrade to Drupal 9.2.6, 9.1.13, or 8.9.19.
Commit b230624e5b:
source: A03:2021 - Injection
source: https://xkcd.com/327/
Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. … this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This … can be exploited by anonymous users.
source: SA-CORE-2014-005
Because of the severity of the vulnerability and the simplicity of the update, we tested … and updated the site today.
source: my e-mail to boss and site owner (paraphrase)
(comment snipped from both)
// Update the query with the new placeholders.
// preg_replace is necessary to ensure the replacement does not affect
// placeholders that start with the same exact text. For example, if the
// query contains the placeholders :foo and :foobar, and :foo has an
// array of values, using str_replace would affect both placeholders,
// but using the following preg_replace would only affect :foo because
// it is followed by a non-word character.
$query = preg_replace(
'#' . $key . '\b#',
implode(', ', array_keys($new_keys)),
$query
);
(line breaks added)
The secret:
The most important thing is to do all the boring stuff you already know.
It is a lot like …
How to live a longer, healthier life!
It takes just 4 minutes a day!
Does that seem too good to be true?
#security-questions
channel in Drupal
SlackUnofficial: @drupalsecurity on Twitter (other?)
Q: Why is Drupal 9 EOL scheduled for Nov. 2023?
A: Drupal 9 uses Symfony 4, which is EOL in Nov. 2023.
eval()
from the web interface
This slide deck by
Benji
Fisher is licensed under a
Creative
Commons Attribution-ShareAlike 4.0 International License.
Based on a work at
https://gitlab.com/benjifisher/slide-decks.