Benji Fisher
March 17, 2023 - DrupalCamp NJ
Usability group, Migration subsystem, Security team
Find a link to this presentation on my GitLab Pages:
These slides borrow from some of Peter Wolanin’s “Cracking Drupal” presentations and from https://owasp.org/. According to the standard footer,
Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy.
All of my slide decks have a similar license.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.
source: https://owasp.org/
OWASP is not Drupal-specific. Let’s “get off the island”!
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
source: https://owasp.org/www-project-top-ten/
The list is updated every few years. The most recent version is from 2021.
Drupal is a web-based content management system (CMS):
Enter data in my forms. I will save it to the database, then generate web pages.
Hacker:
Sounds great. Let’s get started!
Hacker:
Then
will become
source: https://xkcd.com/327/
The Drupal community is one of the largest open source communities in the world. We’re more than 1,000,000 passionate developers, designers, trainers, strategists, coordinators, editors, and sponsors working together.
source: https://www.drupal.org/about
The security team is an all-volunteer group of individuals who work to improve the security of the Drupal project. Members of the team come from countries across 3 continents … The team was formalized in 2005 with a mailing list and has had 3 team leads in that time period.
One site had custom access control for /user/1/edit
. The
access function left off a “not” and granted access to anyone
except User 1.
Q: How to protect yourself?
How do you avoid horror stories?
If customers knew the true cost of custom code, they would ask for less of it.
<img src="https://example.com/node/123/delete">
Questions:
.../edit
,
.../delete
, and more.The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.
Solution: upgrade to Drupal 9.2.6, 9.1.13, or 8.9.19.
Commit b230624e5b:
Unless you are a cryptography maven, do not try to do it yourself. Know when to call for an expert!
Q: What data need protection?
PII includes Social Security numbers, credit cards, health information.
For example, drupal.org SSL Labs report
… not to be confused with Automatic Updates/Project Browser initiative
In Drupal\update\UpdateFetcher
:
/**
* URL to check for updates, if a given project doesn't define its own.
*/
const UPDATE_DEFAULT_URL = 'https://updates.drupal.org/release-history';
We did not fix that until Issue #1538118 2020-11-05. We are still working on Drupal 7 issue.
settings.php
value from external file.In Drupal\user\Entity\User::baseFieldDefinitions()
:
$fields['pass'] = BaseFieldDefinition::create('password')
->setLabel(t('Password'))
->setDescription(t('The password of this user (hashed).'))
->addConstraint('ProtectedUserField');
The User
entity has simple getPassword()
and setPassword()
methods.
The 'password'
field type calls a hash function in
preSave()
.
In Drupal\user\UserAuth
(simplified):
public function authenticate($username, $password) {
$uid = FALSE;
// ... look up $account based on $username.
if ($this->passwordChecker->check($password, $account->getPassword())) {
// Successful authentication.
$uid = $account->id();
// Update user to new password scheme if needed.
// ...
$account->setPassword($password)->save();
}
return $uid;
}
source: A03:2021 - Injection
Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. … this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This … can be exploited by anonymous users.
source: SA-CORE-2014-005
Because of the severity of the vulnerability and the simplicity of the update, we tested … and updated the site today.
source: my e-mail to boss and site owner (paraphrase)
(comment snipped from both)
// Update the query with the new placeholders.
// preg_replace is necessary to ensure the replacement does not affect
// placeholders that start with the same exact text. For example, if the
// query contains the placeholders :foo and :foobar, and :foo has an
// array of values, using str_replace would affect both placeholders,
// but using the following preg_replace would only affect :foo because
// it is followed by a non-word character.
$query = preg_replace(
'#' . $key . '\b#',
implode(', ', array_keys($new_keys)),
$query
);
(line breaks added)
The secret:
The most important thing is to do all the boring stuff you already know.
It is a lot like …
How to live a longer, healthier life!
It takes just 4 minutes a day!
Does that seem too good to be true?
#security-team
channel in Drupal
SlackUnofficial: @drupalsecurity on Twitter (other?)
Two choices:
Either way, you are trusting the security team:
Q: Why is Drupal 9 EOL scheduled for Nov. 2023?
A: Drupal 9 uses Symfony 4, which is EOL in Nov. 2023.
eval()
from the web interface
This slide deck by
Benji
Fisher is licensed under a
Creative
Commons Attribution-ShareAlike 4.0 International License.
Based on a work at
https://gitlab.com/benjifisher/slide-decks.