Cracking Drupal - Planet Drupal http://crackingdrupal.com/taxonomy/term/2/0 en Anything you can do XSS can do better http://crackingdrupal.com/blog/ben-jeavons/anything-you-can-do-xss-can-do-better <p>Cross Site Scripting (XSS) is the number one vulnerability in Drupal code¹ and one of the scariest forms of exploits, because anything you can do XSS can do better².</p> <h3>More serious than &lt;script&gt;alert('xss')&lt;/script&gt;</h3> <p>During XSS demos and vulnerability testing it's easy to use some code like &lt;script&gt;alert('xss')&lt;/script&gt; to see Javascript executed where it shouldn't be. But an alert box isn't scary.</p> <p>It's scary when Javascript can put your Drupal site offline. And it's even scarier when it locks you out of logging back in because it changed your administrator account username, password, and email address. Watch the short video below to see a demo of this.</p> <p><iframe src="http://player.vimeo.com/video/15447718" width="400" height="300" frameborder="0"></iframe></p> <p>The malicious Javascript entered by the attacker, when unknowingly executed by an administrator, does the following evil evil things:</p> <ul> <li>Changes the site title and site email address</li> <li>Changes the administrator's username, email, and password</li> <li>Sets a site-offline message and puts the site in offline status</li> <li>And finally, logs the current user out of the site³</li> </ul> <h3>How do you protect against this?</h3> <p>Against this exact demo? You disable the use of the Full HTML input format by anonymous users. In general you should understand how to <a href="http://drupal.org/security/secure-configuration">configure your site securely</a> and know <a href="http://crackingdrupal.com/blog/ben-jeavons/importance-user-roles-and-permissions-site-security">what actions you allow untrusted users to perform</a>.</p> <p>The attack vector in the video is a comment that has Full HTML enabled for anonymous users. Note that Drupal <strong>does not</strong> come by default with Full HTML enabled for anonymous users.</p> <h3>Be mindful of contributed modules</h3> <p>It's also common that contributed modules print user-supplied data insecurely, opening up for an XSS attack. Popular modules are often more vetted and secure, and thus safer to use. Greg has written recently about some <a href="http://growingventuresolutions.com/blog/drupal-module-selection-enterprise-lists-and-processes">tools to use in picking modules</a>. Also, if you're writing code, make sure you're <a href="http://drupal.org/writing-secure-code">correctly using the APIs and following best practices</a>.</p> <p>Stay safe, community!</p> <p>¹XSS is the number one vulnerability in Drupal code based on times reported in Drupal core and contributed project Security Advisories as published by the Drupal Security Team. Read the <a href="http://drupalsecurityreport.com">report on Drupal Security</a> for more information and stats.</p> <p>²Javascript can't exactly change admin settings better than you can :). It can certainly change it "faster" than you can though.</p> <p>³The final piece of the attack ran by the Javascript is actually a different class of attack known as Cross Site Request Forgery (CSRF).</p> http://crackingdrupal.com/blog/ben-jeavons/anything-you-can-do-xss-can-do-better#comments Planet Drupal XSS Fri, 01 Oct 2010 05:25:55 +0000 Ben Jeavons 57 at http://crackingdrupal.com Mitigation against CVE-2010-1584 Drupal Context Module XSS http://crackingdrupal.com/blog/greggles/mitigation-against-cve-2010-1584-drupal-context-module-xss <p>Recently Justin Klein Keane posted information about a <a href="http://www.madirish.net/?article=457" rel="nofollow">vulnerability</a> in the <a href="http://drupal.org/project/context">Context Module</a> for Drupal.</p> <p>Justin included information about mitigating factors:</p> <blockquote><p>In order to execute arbitrary script injection malicious users must have 'Administer blocks' permission.</p> </blockquote> <p>Here are some more concrete steps for mitigation of this particular vulnerability.</p> <h3>1. Ensure only trusted roles have the "Administer Blocks" permission</h3> <p>My coworker Ben Jeavons wrote previously in this blog about the importance of understanding <a href="http://crackingdrupal.com/blog/ben-jeavons/importance-user-roles-and-permissions-site-security">trusted and untrusted users on your site and how roles play in</a>. We also built a check for some important permissions into the <a href="http://drupal.org/project/security_review">Security Review</a> module that Ben built as part of his work with <a href="http://growingventuresolutions.com/">GVS</a>.</p> <p>To put it simply, while it's not on the list of roles that the Drupal Security Team considers to be <a href="http://drupal.org/node/475848">site owning permissions that mean there is no need for a Security Advisory</a>, <strong>"Administer blocks" is an important permission and shouldn't be given out to untrusted people who might <strike>inject XSS into a block title</strike> reconfigure or disable all the blocks from the site.</strong></p> <p><em>Update: <a href="http://heine.familiedeelstra.com/">Heine Deelstra</a> asked me to clarify that last line. In general, injecting XSS into a block title would merit an SA in the opinion of the Drupal Security Team. Granular permissions are a strength of Drupal and only permissions which allow for privilege escalation are included in the list <a href="http://drupal.org/node/475848">we will not do an SA for</a>.</em></p> <h3>2. Upgrade Context to the latest code from the repository</h3> <p>As often happens, the Drupal community can move quite quickly and in this case <a href="http://drupal.org/node/794718">the issue has been fixed in the development version of code</a> that exists in the source code repository. A big thanks goes to <a href="http://drupal.org/user/99644">Steven Jones</a> and to <a href="http://drupal.org/user/264833">Young Hahn</a> - two of the volunteer module maintainers - for helping out in this particular case . <em>I say "volunteer" because Steven and Young are not paid by the Drupal Security Team to do this kind of work, though their employers may pay them for it, their employers are only one of many companies that benefit from the existence of the modules.</em></p> <p>To get the code from CVS a site administrator could use this single command:</p> <p><code><br /> cvs -d:pserver:anonymous:anonymous@cvs.drupal.org:/cvs/drupal-contrib checkout -d context-DRUPAL-6--2 -r DRUPAL-6--2 contributions/modules/context/<br /> </code></p> <p>There is an issue to create a <a href="http://drupal.org/node/795072">development snapshot release for this vulnerable branch</a> so it would be easier to download the new code and that release will be created automatically by the Drupal packaging system within 12 hours.</p> <p><em>Update: a <a href="http://drupal.org/node/795118">new release</a> has been created.</em></p> <p>You should of course test an updated module in a test environment prior to releasing it onto a live site.</p> <h3>3. Disable the Context module</h3> <p>Only do this if you can't do steps 1 and 2. Really, both of those should be entirely possible and they are simpler.</p> <p>The Context module provides a variety of features, but the most common one is a new way to show blocks on a site. So, if you can live without the features provided by context you can simply disable it.</p> <p>Go to Administer > Site building > Modules and uncheck the checkbox next to the module and submit the form.</p> <h3>My personal commentary</h3> <p>My personal take on this is that it's been given a bit more hoopla than it deserves. The mitigation steps are simple and most sites would not be vulnerable in the first place. The Drupal Security Team has a policy of not creating "Security Advisories" in the case of Release Candidate (RC) software and, ideally, the broader world of "Security Researchers" would respect that.</p> <p>Of course, it would also be ideal if site administrators respected the "developer" nature of these kinds of modules, but the <a href="http://drupal.org/project/usage/context">project usage for Context</a> shows that it is on well over 10,000 sites. Another solution to that would be for module developers to create official "1.0" releases of their modules if they are serious about letting them get used on lots of sites.</p> <p>On a somewhat related note, the Verizon Security blog recently had a post about <a href="http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/">Security Researchers vs. Narcissistic Vulnerability Pimps</a>.</p> http://crackingdrupal.com/blog/greggles/mitigation-against-cve-2010-1584-drupal-context-module-xss#comments Planet Drupal XSS Mon, 10 May 2010 18:04:36 +0000 greggles 55 at http://crackingdrupal.com Creating a sanitized Drupal database dump http://crackingdrupal.com/blog/greggles/creating-sanitized-drupal-database-dump <p>People often want to create a backup copy of their site database and give it to someone else to create an environment similar to the live environment for testing or development. However, doing so exposes all of your site data being leaked if that backup copy is ever placed on a CD that gets lost or a harddrive which is not destroyed at the end of its life or a laptop which is stolen.</p> <p>I blogged about one solution to this problem earlier with <a href="http://crackingdrupal.com/blog/greggles/easier-and-safer-drupal-development-virtualbox-virtualization">using Virtualbox and an encrypted disk image on Mac</a> for easier and more secure development. However, another simple solution exists: munge the data.</p> <h3>Sanitizing a Drupal database export</h3> <p>The basic idea of this strategy is five easy steps:</p> <ol> <li>Export your database</li> <li>Import it into a new temporary place</li> <li>Overwrite sensitive information with dummy data</li> <li>Export from the temporary place</li> <li>Share this new export</li> </ol> <p><code><br /> -- CAUTION: DO NOT RUN THIS ON DATABASE WHERE YOU CARE ABOUT THE INFORMATION!!!</code></p> <p>-- Munge emails for security.<br /> UPDATE users SET mail = CONCAT(name, '@localhost'), init = CONCAT(name, '@localhost'), pass = MD5(CONCAT('MILDSECRET', name));<br /> UPDATE comments SET mail = CONCAT(name, '@localhost');<br /> UPDATE directory SET mail = CONCAT(name, '@localhost');<br /> UPDATE authmap SET authname = CONCAT(aid, '@localhost');<br /> UPDATE client SET mail = CONCAT(cid, '@localhost');<br /> -- Only important if you use project and project_issue module<br /> UPDATE project_issue_projects SET mail_digest = 'foo@localhost', mail_copy = 'foo@localhost';<br /> UPDATE projects SET mail = CONCAT("empty", '@localhost');<br /> -- Only important if you use simplenews module<br /> UPDATE simplenews_subscriptions SET mail = CONCAT(snid, '@localhost');</p> <p>-- Clear out old webform entries which likely include e-mails<br /> UPDATE webform_submitted_data set data='<em>scrubbed</em>';</p> <p>-- Get rid of irrelevant data it contains IP addresses and bulks up the database<br /> TRUNCATE accesslog;<br /> TRUNCATE access;<br /> TRUNCATE cache;<br /> TRUNCATE cache_filter;<br /> TRUNCATE cache_menu;<br /> TRUNCATE cache_page;<br /> TRUNCATE devel_queries;<br /> TRUNCATE devel_times;<br /> TRUNCATE flood;<br /> TRUNCATE history;<br /> TRUNCATE search_dataset;<br /> TRUNCATE search_index;<br /> TRUNCATE search_total;<br /> TRUNCATE sessions;<br /> TRUNCATE watchdog;</p> <p>-- Alter sensitive entries in the Variable table<br /> update variable set value = 's:4:"fake";' where name = 'smtp_password';<br /> </p> <p>The above script is a slightly modified version of a fairly specific script that works for one specific database: drupal.org. However, you can see the techniques used here and imagine how to adapt them for other sites.</p> <h3>Modify the script to protect data for your specific site</h3> <p>One important step that I take when adapting this to a new site is to make my export from step 4 above and then do a search through the text of the export for common e-mail providers like yahoo or gmail to see if any more addresses exist. If you find one then you figure out which column they are in and use a similar "munge" process on the column updating it to null.</p> <p>Take special care with some modules like <a href="http://drupal.org/project/twitter">twitter</a> that may store account credentials (twitter usernames and passwords) in a database table.</p> <p>And take extra special care with modules like <a href="http://drupal.org/project/smtp">smtp</a> or <a href="http://drupal.org/project/mailhandler">mailhandler</a> which store credentials for important email accounts in the variable table or other locations in the database.</p> <p>Once you've got this script tuned for your site you may need to update it as you add new modules or upgrade existing modules.</p> <p>And that's it - now you can share copies of your database with greater confidence that your site won't be the source of a data leak.</p> <p><em>Edit: Updated to include webform example based on <a href="http://joshuabrauer.com/2010/11/scrubbing-drupal-databases-development">jbrauer's similar blog post.</a></em></p> http://crackingdrupal.com/blog/greggles/creating-sanitized-drupal-database-dump#comments leaking data Planet Drupal Sat, 27 Mar 2010 15:06:55 +0000 greggles 53 at http://crackingdrupal.com Free resources online for protecting your Drupal site http://crackingdrupal.com/blog/greggles/free-resources-online-protecting-your-drupal-site <p>There are lots of great resources online about how to secure your Drupal site. The CrackingDrupal.com site is meant to be one of those resources, but there are also others available elsewhere. Here are some of the best resources available from around the internet with Drupal specific security information.</p> <h3>Drupal.org Handbooks</h3> <p>The Drupal.org handbooks are probably the most natural place to look and in fact they have three great areas of resources.</p> <ul> <li><a href="http://drupal.org/writing-secure-code">Writing secure code</a> provides advice about secure code. It can be a bit hard to understand the flow and examples, but this is still a great resource.</li> <li><a href="http://drupal.org/security/secure-configuration">Secure configuration</a> looks at the non-code aspects of configuring your site.</li> <li><a href="http://drupal.org/security-team">Security team</a> provides insight into the policies and procedures of the Drupal Security Team. It's the policies which are most important to a typical user.</li> </ul> <h3>University of Pennsylvania School of Arts and Sciences Pages</h3> <p>The University of Pennsylvania is using Drupal for a lot of different sites. They have been actively reviewing and finding problems in Drupal's contributed modules for over a year now. They are also providing documentation (on their site) about how to secure Drupal.</p> <p>Some examples:</p> <ul> <li><a href="http://www.sas.upenn.edu/computing/drupal-secure-settings">Drupal Security Configuration</a> </li> <li><a href="http://www.sas.upenn.edu/computing/drupal-approved-modules">Drupal approved modules</a> which means that they have reviewed the modules for security problems.</li> <li><a href="http://www.sas.upenn.edu/computing/drupal-security">Drupal security considerations</a> provides some Penn specific and some general advice about Drupal sites.</li> </ul> <h3>Nadeau Software Consulting</h3> <p>The Nadeau Software Consulting company provides an extensive online resource in 3 parts. Their advice comes from a strong system administrator perspective about how to secure Drupal within the Context of Linux/Apache.</p> <ul> <li><a href="http://nadeausoftware.com/articles/2009/05/drupal_and_apache_web_site_security_checklist_part_1">Drupal and Apache Web Site Security Checklist, part 1</a></li> <li><a href="http://nadeausoftware.com/articles/2009/06/drupal_and_apache_web_site_security_checklist_part_2">Drupal and Apache Web Site Security Checklist, part 2</a></li> </ul> <h3>From CrackingDrupal.com</h3> <p>Aside from <a href="http://crackingdrupal.com/blog">this blog</a> there are a few other resources on this site:</p> <ul> <li><a href="http://crackingdrupal.com/blog/ben-jeavons/contributed-modules-securing-your-site">List of security focused contributed modules</a></li> <li><a href="http://crackingdrupal.com/blog/greggles/drupal-text-filtering-decision-cheat-sheet">Text filtering cheat sheet for developers and themers</a></li> <li>A PDF version of <a href="http://crackingdrupal.com/sites/crackingdrupal.com/files/Cracking_Drupal_Chapter_1.pdf">Cracking Drupal Chapter 1</a> and <a href="http://crackingdrupal.com/sites/crackingdrupal.com/files/Cracking_Drupal_Table_of_Contents.pdf">the table of contents</a>.</li> </ul> <h3>Other blog sites</h3> <p><a href="http://acko.net/blog/safe-string-theory-for-the-web">Safe string theory for the web</a> by Steven Wittens is a great resource. One final mention is <a href="http://heine.familiedeelstra.com/">Heine Deelstra's Blog</a> which covers a lot of things but also frequently covers security.</p> <p><em>Edited to include more resources from this site and Steven Wittens site.</em></p> http://crackingdrupal.com/blog/greggles/free-resources-online-protecting-your-drupal-site#comments free resources Planet Drupal Mon, 11 Jan 2010 21:09:40 +0000 greggles 49 at http://crackingdrupal.com Protecting your Drupal module against Cross Site Request Forgeries http://crackingdrupal.com/blog/greggles/protecting-your-drupal-module-against-cross-site-request-forgeries <p>Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is.</p> <h3>What is Cross Site Request Forgery - CSRF</h3> <p>When you take an action online - submitting a blog post, delete a photo, registering on a site, transferring money in a bank account - you are making a request to a site to perform that action for you. Several things happen automatically when you make a request to a site: lots of data is sent using either a "POST" or "GET" method and your browser sends along any cookies you have for the site. The cookies often contain your session identification for the site which is how the site knows who you are and what permissions you have.</p> <p>A CSRF occurs when a malicious user can trick you into making a specific kind of request to a site that you did not really intend to make AND when the site performs that action. A simple example follows:</p> <ol> <li>Your site has a list of accounts and presents links to delete accounts. That link points to a URL like <a href="http://example.com/admin/delete/user/2" title="http://example.com/admin/delete/user/2">http://example.com/admin/delete/user/2</a> which contains the account identifier for the account to be deleted (2 in this example)</li> <li>A malicous attacker determines that you are an admin on the site and becomes your "friend" on a social networking site like twitter. They post a message to twitter @your_attention with a TinyURL that redirects to <a href="http://example.com/admin/delete/user/2" title="http://example.com/admin/delete/user/2">http://example.com/admin/delete/user/2</a></li> <li>By the time you realize where the redirect is going, you've already deleted account #2. Depending on the system that may also delete all of the content associated with account #2. </li> </ol> <p>Major bummer.</p> <p>The solution to this problem is a secret value associated with the action that is not easy to calculate called a token. When the form or link to take an action like deleting the account is sent to the browser the site sends along a string that includes something unique and only known by the site and the user. When the request is submitted the site validates that the token is still present and is appropriate for the action being taken. If it doesn't validate, the action is denied.</p> <h3>Protecting against CSRF in Drupal with Forms</h3> <p>As of Drupal 4.7 there was a Form API in Drupal core which people used to create forms. This form API provided a central place to do form creation, validation, and submission processing. Part of that creation and validation is to ensure that the special "token" is sent to the user and validated on form submission. Drupal uses a "hash" that is composed of at least three values: the user session ID, a string associated with the action being taken, and a string that is private to the site. If an attacker could figure out this token then they could add it to the request and force the site to take the action. Fortunately, this combination of information cannot be calculated by a typical malicious attacker (they would need a super computer and an additional weakness like session fixation...pretty unlikely).</p> <p>So, how do you build a form? Well, the <a href="http://api.drupal.org/api/file/developer/topics/forms_api.html/6">Forms API Quickstart Guide</a> gets you most of the way there and the small form example in our <a href="http://growingventuresolutions.com/blog/drupal-6-api-cheat-sheet">Drupal 6 API cheat sheet</a> should finish it off. So, you use forms for every major action on the site that changes data and you will be protected against CSRF.</p> <p>Some of the time a form won't work in the design or user interface. You just want a tiny little link. So, if you want to use a link for an action like deleting a user or deleting content that is really destructive then you should use a confirmation form. It makes sure the user wants to take the action and acts as a small confirmation.</p> <p><em>Side note: usability people say we should not do confirmation forms and that is right, but their concern is flow and their solution is to simply "archive" in an easy to undo way. Our point is to get a form token in there.</em></p> <p>So, how do you do a confirmation form? Well the User Protect module did <a href="http://drupalcode.org/viewvc/drupal/contributions/modules/userprotect/userprotect.module?r1=1.52&amp;r2=1.53">just that</a> a little while ago. You can study that patch to learn it.</p> <h3>Protecting actions in Drupal by leveraging tokens directly</h3> <p>So, what if the action being taken isn't as extreme as deletion? In that case you can use an alternate trick that directly leverages Drupal's token generation more directly. A great example of this comes from the <a href="http://drupal.org/project/security_review">Security Review</a> module.</p> <p>The token is added to links in the security_review_reviewed function:</p> <p><code><br /> $token = drupal_get_token($check['reviewcheck']);<br /> $link_options = array(<br /> 'query' =&gt; array('token' =&gt; $token),<br /> 'attributes' =&gt; array('class' =&gt; 'sec-rev-dyn'),<br /> );<br /> </code></p> <p>That token is then checked in security_review_toggle_check:</p> <p><code><br /> if (!drupal_valid_token($_GET['token'], $check_name)) {<br /> return drupal_access_denied();<br /> }<br /> </code></p> <p>There are a variety of ways to actually insert the token into the link and write the Ajax code to submit the request and then validate requests. This just shows the basic idea: you add a token into the page that will be returned with the request for the action and then validate it before performing the action.</p> <p>For an example of this being added to a module on Drupal.org you can see the <a href="http://drupalcode.org/viewvc/drupal/contributions/modules/plus1/plus1.module?r1=1.1.4.7&amp;r2=1.1.4.8">patch to fix Plus 1</a> from 2008.</p> <p>One special note: many people feel that it's semantically inappropriate for a site to take actions in response to links (which initiate an HTTP GET request as opposed to a POST request which is commonly used in forms and which are defined in the HTTP spec as being associated with changing data on the server). There are also potential problems with using links such as http accelerators that pre-fetch all the links on a page. You can mitigate the pre-fetchers by adding a rel="nofollow" attribute to the link, but really the pre-fetchers are relatively uncommon these days so hopefully you don't have to deal with them.</p> <h3>Summary on Cross Site Request Forgeries &amp; Drupal</h3> <p>Protecting against CSRF in Drupal is not particularly hard to do, but to date there have not been any easy recipes on how to handle it. Hopefully this resource will enable people to write their code properly the first time and fix any vulnerabilities you may find in existing code.</p> http://crackingdrupal.com/blog/greggles/protecting-your-drupal-module-against-cross-site-request-forgeries#comments cross site request forgery csrf Planet Drupal Fri, 11 Dec 2009 04:49:12 +0000 greggles 48 at http://crackingdrupal.com The Importance of User Roles and Permissions for Site Security http://crackingdrupal.com/blog/ben-jeavons/importance-user-roles-and-permissions-site-security <h3>Rethink your roles</h3> <p>When discussing site security we often use words like "attacker", "malicious user" or "untrusted" to define site visitors who may be intent on abusing resources, stealing, or altering data. Within Drupal, visitors can achieve these goals using the permissions granted to their roles. This is the key component. We have to think of visitors in terms of what roles they have and what permissions we've granted those roles. Then instead of just thinking about trusted vs. untrusted users, we are thinking about trusted vs. untrusted roles.</p> <p>On your site, which roles are trusted and which are untrusted? What permissions have you given to those roles? What permissions have you granted to the Anonymous role and thus to anonymous visitors? As you build and add features to your site you are also widening the available points for attack. If you have allowed users to create accounts without administrator approval you should also consider what permissions you've granted the Authenticated role. Can authenticated users create content or post comments without approval?</p> <h3>Know the defaults</h3> <p>Community contributed modules as a whole are more insecure than Drupal core so it's especially important to be cautious about administrator permissions created by contributed modules. Role management can be burdensome so there are modules that grant roles to users upon account creation. Know the defaults, because <a href="http://crackingdrupal.com/blog/greggles/what-kinds-security-problems-exist-drupal">most Security Advisories for contributed modules are because of cross-site scripting vulnerabilities</a> and often exist on module administration screens where user-supplied data is not properly filtered. Whenever possible, utilize the principle of least privilege and give roles only the permissions they absolutely need. Grant those roles appropriately based on trust and what features need to be exposed for use.</p> <h3>"Super-permissions"</h3> <p>A few Drupal permissions should never be added to untrusted roles, as they allow or open up full control of your site. These permissions are:</p> <ul> <li>Administer filters</li> <li>Administer users</li> <li>Administer permissions</li> <li>Administer content types</li> <li>Administer site configuration</li> </ul> <p>To help keep your site secure, rethink which roles are trusted and untrusted, then evaluate what roles are granted to which users.</p> http://crackingdrupal.com/blog/ben-jeavons/importance-user-roles-and-permissions-site-security#comments Drupal Permissions Planet Drupal Roles Tue, 10 Nov 2009 19:18:49 +0000 Ben Jeavons 37 at http://crackingdrupal.com Drupal Security webinar with Acquia roundup http://crackingdrupal.com/blog/greggles/drupal-security-webinar-acquia-roundup <p>This past Thursday several hundred folks joined me for a webinar about security in Drupal as part of the <a href="http://acquia.com/community/resources/webinars/">Acquia webinar</a> series.</p> <p>You can now download the <a href="http://crackingdrupal.com/sites/crackingdrupal.com/files/Acquia_Cracking_Drupal_Webinar.pdf">Security in Drupal introduction slides</a> which include the speaker's notes and watch the screencast itself:</p> <p><embed src="http://blip.tv/play/AYGmjEkC" type="application/x-shockwave-flash" width="480" height="330" allowscriptaccess="always" allowfullscreen="true"></embed></p> <p>I also wanted to answer some questions that were posed in Twitter and in the GoToWebinar chat room. I didn't get to answer all of them in the presentation, so, I'm going to try to answer them all here.</p> <h3>Would you consider something as common as RSS publishing as a potential method for people to steal content?</h3> <p>Not in general. Sure, it makes it easier to copy your content but a determined scraper will always get your data. Now, an rss feed can be an access bypass vulnerability if it doesn't respect Drupal core's node access mechanisms, I have seen that.</p> <h3>What do you tell a client who doesn't want to pay you for your time to perform security updates?</h3> <p>We try to insist on it at the contract stage that as long as they are a development or maintenance client we will do site security upgrades ASAP.</p> <h3>Lots of good information in this presentation. Will you share slides? The zero day attack slide could be really useful.</h3> <p>Yes. The <a href="http://crackingdrupal.com/sites/crackingdrupal.com/files/Acquia_Cracking_Drupal_Webinar.pdf">slides</a> are attached.</p> <h3>It seems like Wysiwyg editors open a lot of vulnerabilties. Are there any modules you feel are more or less vulnerable</h3> <p>WYSIWYG editors don't open the vulnerabilities - bad configuration of input formats does. It's true that many sites will install a WYSIWYG and open up their input formats inappropriately and that's the real problem.</p> <h3>Can you talk a little bit about how his firm performs a site security audit? How long does it take and what is the cost range?</h3> <p>We have some details on our <a href="http://growingventuresolutions.com/services/security-review-service-drupal-sites">security review service</a>. As far as pricing, we'd love to hear your feedback on what kind of price seems good. Please <a href="http://growingventuresolutions.com/contact">contact us</a> to let us know what you think.</p> <h3>In a preprocess function setting up our variables for our designer, do we need to sanitize content in $vars before passing to tpl?</h3> <p>This isn't a simple yes/no kind of question. The answer depends on a lot of factors. While it's not a complete answer either, the <a href="http://crackingdrupal.com/blog/greggles/drupal-text-filtering-decision-cheat-sheet">Text filtering cheat sheet for Drupal</a> is intended to make it easier for an educated developer to decide which function to use.</p> <h3>Forms input filtering is not recommended - that is the problem with Webform Report - why is maintainer unable to fix it?</h3> <p>This has more to do with them having the time/motivation/understanding and nothing to do with how technically feasible it is to fix the problem. It's actually another new service that we're offering is that we will take a module which has been abandoned for security reasons and fix it. If you'd be interested in sponsoring the work to fix that or any other module please let us know.</p> <h3>Can a lot of this security be built into a theme?? Will any of this be corrected in Drupal 7?</h3> <p>The theme layer is not an appropriate place for security protection. Themes can be switched quite easily, by admins and sometimes by end users, so if you put the protection in the theme then it's easy to mistakenly create a vulnerability.</p> <p>Security related code belongs at the module or core layer. Now, Drupal 7 does have a much better rendering system (<a href="http://paris2009.drupalcon.org/session/explore-glory-drupal-7s-improved-render-and-theming-systems">great presentation on render</a> by <a href="http://www.cyrve.com/">Moshe Weitzman</a>) which will hopefully make it easier for themers to not have to think text filtering.</p> <h3>I've read your book (good job, by the way) but it's not for beginners. Are you planning an seochecklist sort of module for security auditing drupal?</h3> <p>Well, I have to disagree ;) I think many parts of it are for beginners. But yes, as part of our security offering we do plan to create many new tools and enhancements to core that will be helpful to site builders.</p> <h3>What are some bad practices for theamers? Are there things that themers can do to make the site more secure?</h3> <p>This is not easy to answer. It's basically the fundamental question that the book answers. However, we do plan another webinar for the spring so perhaps that can be the focus.</p> <h3>Is that a FireFox addon that allows you to change your user agent? What is it called?</h3> <p>Yes, I use the <a href="https://addons.mozilla.org/en-US/firefox/addon/59">User Agent Switcher</a> by <a href="http://chrispederick.com/">Chris Pederick</a>.</p> <h3>Can t() be considered a substitute for check_plain()?</h3> <p>Yes, if you use the @ or % placeholders then t will automatically include check_plain style filtering as the text is substitutde.</p> <h3>How much scrubbing is necessary for FormAPI based forms? Do you risk XSS type attacks without checkplain, for example?</h3> <p>First, all forms should be Form API based (unless they post to an external site, which is very rare). Second, yes, if you use user modifiable text for labels or titles then you will need to do filtering. The exact nature of the filtering depends on a lot of factors</p> <h3>How can we do SSL or HTTPS with Drupal</h3> <p>I just blogged about this recently: <a href="http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions">Recipes for SSL / HTTPS in Drupal</a>.</p> <p>That's it!</p> http://crackingdrupal.com/blog/greggles/drupal-security-webinar-acquia-roundup#comments https Planet Drupal security ssl Mon, 12 Oct 2009 18:01:12 +0000 greggles 35 at http://crackingdrupal.com Talking about security in Drupal http://crackingdrupal.com/blog/greggles/talking-about-security-drupal <p>This coming fall we'll be talking about security in Drupal so much I can barely believe it.</p> <h3>Acquia Webinar - October 8th online</h3> <p>First up is an Acquia Webinar, which will be a review of security in general and then we'll show two common mistakes that cause the majority of the problems in Drupal sites and modules. The talk will discuss the topic area broadly covering the perspectives of business users, technical users, and developers.</p> <p>Note, you must <a href="http://acquia.com/community/resources/webinars/cracking-drupal-proven-strategies-uncovering-security-threats-and-prote">register for the webinar</a> before it happens.</p> <h3>BADCamp - October 17th and 18th near San Francisco</h3> <p><a href="http://growingventuresolutions.com/about/team/ben-jeavons">Ben Jeavons</a>, a recent addition to the Growing Venture Solutions team, will be speaking on our behalf at the <a href="http://badcamp.net/">Bay Area Drupal Camp</a> out in California. He will be giving a talk aimed at beginners and site admins called <a href="http://badcamp.net/session/drupal-security-site-administrators-and-beginners">Drupal Security for site administrators and beginners</a></p> <h3>AppSec - November 12th and 13th in Washington DC</h3> <p>Ben and I will both be headed out to AppSec - the Application Security conference hosted by <a href="http://www.owasp.org/">OWASP - the Open Web Application Security Project</a>. We'll be there mostly to learn and share ideas, not give any presentations per se. But I do think that Drupal's security tools and philosophies could one day form the basis of a presentation at OWASP conferences. We particularly look forward to learning from other folks about security team process - the Drupal security team is always looking to follow best practices and improve upon them.</p> <h3>Do it with Drupal - December 9th, 10th, 11th in New Orleans</h3> <p>I'll be headed down to New Orleans for this year's <a href="http://www.doitwithdrupal.com">Do It With Drupal</a> conference. The feedback from last year's event was quite positive and I'm sure that it will be a great event again this year. My talk at DIWD will probably be a mix of sysadmin and developer and general security education - I've got over an hour to play with, so I'm looking forward to it.</p> <h3>Free copies of Cracking Drupal ;)</h3> <p>Yes, that's right, at all of these events we will be giving out free copies of Cracking Drupal to a few lucky audience members. So please come on by and say hello, ask great questions and you may be a lucky winner as well.</p> <h3>Security Review for your Drupal Site</h3> <p>These presentations are nothing new for Ben and I. I've been giving them since Drupalcon DC and Ben since Drupalcamp Colorado. Historically we've given them with the goal of educating the public and hoping to reduce the work the Drupal security team has to do. Educated developers make for secure developers.</p> <p>What is new is our <a href="http://growingventuresolutions.com/services/security-review-service-drupal-sites">security review service</a>. More details about that after the Acquia webinar, but if you're interested in having a site or module reviewed for its security please <a href="http://growingventuresolutions.com/contact">contact us</a>.</p> http://crackingdrupal.com/blog/greggles/talking-about-security-drupal#comments Planet Drupal Wed, 30 Sep 2009 23:55:32 +0000 greggles 31 at http://crackingdrupal.com Easier and Safer Drupal Development with Virtualbox / Virtualization http://crackingdrupal.com/blog/greggles/easier-and-safer-drupal-development-virtualbox-virtualization <p>As a developer there is often a point in your career where you take a look at the number of client databases installed on your hard drive and start thinking "boy, I hope that data never falls into the wrong hands." And, if you're like most web developers and use a laptop, the chances of having a laptop lost or stolen are surprisingly high. It happens to <a href="http://webchick.net/node/1">the best of us</a>.</p> <p>Further, chances are quite good that you are using Windows or Mac for your working environment but want to run your sites in a Linux environment just like you have on your servers.</p> <p>How about this: <strong>create a Linux server that runs inside of a virtual environment and then put the disk image for that virtual server into an encrypted drive image. Perfect!</strong> This tutorial assumes you use Mac OSX - but the same principles could be applied to any operating system. This setup is meant to be reasonably safe against typical thieves, but doesn't protect the data completely.</p> <h3>Virtualbox Virtualization to the Rescue</h3> <p>Of course I'm mostly an open source fan so I'll try the Open Source virtualization option first. And...<a href="http://www.virtualbox.org/">Virtualbox</a> works quite well.</p> <p>First create some space for your disk image. I fired up the Mac Disk Utility, selected compressed and 128 bit encryption like so:</p> <p><a href="<br /> http://crackingdrupal.com/sites/crackingdrupal.com/files/make_the_disk-1.jpg"><img src="http://crackingdrupal.com/sites/crackingdrupal.com/files/make_the_disk_small.jpg" /></a></p> <p>Give yourself enough disk space - at least 5-10GB depending on what you'll do with the server. Creating a "sparse" image just means that it will create the image at a relatively small size and then increase the size as necessary. It's a performance trade-off to save disk space which is worth it for development.</p> <p>The decision to use 128 or 256bit encryption is up to you and how sensitive your data really is. I'd rather get slightly better performance than have super-duper encryption.</p> <p>Next, install Virtual box and follow their documentation to setup a Linux environment, like <a href="http://www.ubuntu.com/">Ubuntu</a>. I chose the 9.04 Desktop version of Ubuntu so that I can use some of the Linux GUI tools directly (that's especially handy to show how Ubuntu works to someone who is interested in it). Virtualbox 3.0 just came out with lots of improvements like faster Disk I/O. In my testing so far, it's good enough.</p> <p>Once you've got Virtualbox open, click the "New" button where you'll get a wizard. Answer the questions depending on your preferences, the only important step is the "Virtual Disk Location and Size" where you should be sure to put your disk image inside the encrypted disk (which you may have to mount by double clicking on it).</p> <p>I chose to use a "Bridged" adapter for the network where the <em>guest</em> operating system (Linux in my case) latches onto whatever network device my <em>host</em> is using and grabs an extra IP address from the DHCP server. This has the benefit of allowing other people in the office to quickly and easily connect to your Linux Virtualbox server directly using an IP address.</p> <p>I spent a bunch of time messing with shared folders and couldn't get it to work. My solution now is simple: sshfs via <a href="http://code.google.com/p/macfuse/">macfuse</a>.<br /> 1. Install <a href="http://code.google.com/p/macfuse/">macfuse</a>.<br /> 2. Create a directory to use as the mount point like <code>mkdir ~/shared_directory</code><br /> 3. Find the IP of your virtualbox and run the command <code>sshfs username@10.0.1.6:/ ~/shared_directory</code></p> <p>That's it - you've now got the entire root filesystem of your Linux virtualbox mounted at /Users/greg/shared_directory. From the Host maching you can now navigate this directory using Finder, use shell commands from the Mac terminal or edit files using Mac based editing software (in my case the big one is Eclipse). If you change networks and get a new IP address your mount will stop working and you'll need to create it again. I've gotten pretty quick at re-establishing the mount point.</p> <p>If you have extra RAM and want to run the Linux system with a GUI, go for it. I did this at first but found I was running out of RAM. So, I used a command to remove the destkop manager from my startup scripts and now the box hums along nicely at 256MB of RAM.</p> <p><code><br /> sudo update-rc.d -f gdm remove<br /> </code></p> <p>If I ever want to add Gnome's desktop manager back, it's a simple command:</p> <p><code><br /> sudo update-rc.d -f gdm defaults<br /> </code></p> <h3>Virtualbox and Ubuntu Resources</h3> <ul> <li><a href="http://groups.drupal.org/node/6266">How to setup an Ubuntu lamp server</a> from the <a href="http://groups.drupal.org/drubuntu">Drupal on Ubuntu</a> group.</li> <li><a href="http://www.psychocats.net/ubuntu/virtualbox">Installing Ubuntu inside Virtualbox</a> (it's for Windows, but the idea is virtually the same).</li> <li><a href="http://www.virtualbox.org/wiki/User_HOWTOS">Virtualbox HOWTOs</a> from the Virtualbox site itself. Very helpful.</li> <li><a href="http://forums.virtualbox.org/">Virtualbox Forums</a> - I ended up here as a result of searches, but the forums seem pretty active and helpful.</li> </ul> <h3>Data Privacy Considerations with Drupal in Encrypted Virtualbox</h3> <p>So, is this really safer? Consider a typical Drupal development environment: someone who gets physical control of your machine and can login as you will be able to read your settings.php files which contain credentials to get all the information out of the database. So, the first steps are:<br /> 1. Use a username/password to login to your operating system rather than having it automatically log in.<br /> 2. Set your system to "lock" itself and require the credentials if it is unattended for more than a few minutes or is hibernated.<br /> 3. Use a <a href="http://support.apple.com/kb/HT1352">firmware level password</a><br /> 4. Use decent passwords ;)</p> <p>Someone might be able to override this information using the <a href="http://support.apple.com/kb/HT1274">password reset</a> "feature" of the operating system. Ok.</p> <p>That's where the virtual disk image and encrypting the disk image comes in. If someone reboots the machine to reset the password then the drive will no longer be mounted. Mounting it requires the drive's password which only you know. Yay.</p> <p>There are probably some areas where this system is vulnerable to an attack. My goal is not to completely prevent a talented attacker from getting my data (it's unlikely that a talented attacker would happen to steal specifically my machine...). My goal is to protect the data if a casual thief steals it. A casual thief presented with this scenario is likely to replace the hard drive and toss out the old one, in which case the data would be lost but not exposed.</p> <h3>Update: Automatically Mount the SSHFS Drives</h3> <p>I've attached a little <a href="http://crackingdrupal.com/sites/crackingdrupal.com/files/mounter.txt">script</a> that automatically mounts the external drives.</p> <table id="attachments" class="sticky-enabled"> <thead><tr><th>Attachment</th><th>Size</th> </tr></thead> <tbody> <tr class="odd"><td><a href="http://crackingdrupal.com/sites/crackingdrupal.com/files/mounter.txt">mounter.txt</a></td><td>684 bytes</td> </tr> </tbody> </table> http://crackingdrupal.com/blog/greggles/easier-and-safer-drupal-development-virtualbox-virtualization#comments Planet Drupal Ubuntu Virtualbox Virtualization Tue, 25 Aug 2009 12:39:51 +0000 greggles 24 at http://crackingdrupal.com Drupal and SSL - Multiple Recipes to Possible Solutions for HTTPS http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-https <p>As <a href="http://drupal.org/user/58600">Matt Cheney</a> likes to say "Much like Scrabble, the <em>S</em> is an important letter on the internet." If you really care about the data you are sending across the internet you want to make sure you are using SFTP instead of FTP, SSH instead of Telnet, and HTTPS instead of HTTP. So, within a Drupal site how can you use HTTPS to secure the data sent to and from your site and prevent sessions from being hijacked?</p> <p>There are four basic solutions, though each has its benefits and drawbacks. I'll try to describe each one and give some guidance on the problems. They are covered from what seem to be the most common to the most secure. Note that the third technique is somewhat novel.</p> <p><em>Note: All of these assume that you have configured your webserver to use SSL which is well documented elsewhere - I don't think that's useful to try to cover here.</em></p> <h3>Use the Securepages Module to Encrypt Login and Admin Pages</h3> <p>The <a href="http://drupal.org/project/securepages">Secure Pages</a> module is a relatively old module and quite popular. It's goal is to only make certain pages of the site use HTTPS by using two lists of urls which should either by HTTPS or not. The benefit of this module is that you can use regular old HTTP for most of the site and only encrypt the traffic where you really need it. By default it will encrypt traffic for adding content, editing content, anything related to users, and for the admin area.</p> <p>SSL processing is taxing on a server. Using SSL on just the most important pages helps make sure that the data sent back and forth on those pages is encrypted. However, the session cookie is still unencrypted so a user who authenticates over HTTPS and then visits a non secure page sends their sesssion identifier in the clear which allows for an attacker to steal their session and login to the site which gives them the access to the very data that was supposed to be protected. This is largely "security theater" but it sure makes people feel good.</p> <p><strong>Pro:</strong> Reduces load on server compared to a full SSL solution while encrypting important data transmission.<br /> <strong>Con:</strong> Doesn't protect against session hijacking so data can still be compromised.</p> <h3>Using Securepages and Securepages Prevent Hijack</h3> <p>Noticing this weakness, the user grendzy created the <a href="http://drupal.org/project/securepages_prevent_hijack">Secure Pages Hijack Prevention</a>. This module creates and sends along a second cookie that is marked as "secure" so that the browser will only send it over HTTPS. The module then tracks access to the site and logs out any user who attemps to visit an "important" page without sending along that second cookie.</p> <p><strong>Pro:</strong> Still reduced load on server with reduced damage from hijacking.<br /> <strong>Con:</strong> Session hijack still possible, but limited in what damage can be done and data is still sent in the clear sometimes (may be an acceptable risk).</p> <h3>Use HTTPS for a session after login</h3> <p>This is a solution that one of my clients created to provide HTTPS pages for all logged in users, and keep all anonymous users on HTTP, but could be extended for other rules as well.</p> <p>The major piece of the idea is in settings.php:</p> <p><code><br /> if (!empty($_SERVER['HTTPS'])) {<br /> &nbsp;&nbsp;ini_set('session.cookie_secure', 1);<br /> &nbsp;&nbsp;$base_url = 'https://example.com';<br /> }<br /> else {<br /> &nbsp;&nbsp;$base_url = 'http://example.com';<br /> }<br /> </code></p> <p>This little bit of code says "if the user is requesting a secure page, make sure that their cookie is marked as secure and that the base_url variable (used in many parts of Drupal) includes https - otherwise, use the regular http values." The use of the secure cookie flag prevents hijacking but does have one drawback: If the user has a bookmark for the homepage that is not https then their cookie won't be sent along to the site and they will appear to be logged out.</p> <p>Combine that with a redirect from the regular "user/" pages to the https version and you should be all set.</p> <p><strong>Pro:</strong> Still simple, more complete than a "per path" SSL system, limited possibility to hijack a session.<br /> <strong>Con:</strong> Potentially confusing to users under certain conditions.</p> <h3>Just Make All Drupal Pages SSL</h3> <p>This is the most secure solution, but also the most resource intensive on the server. If you just make all traffic to the site over HTTPS then it will all be encrypted - problem solved!</p> <p>You can use Apache's mod_rewrite to achieve this:</p> <p><code><br /> RewriteCond %{SERVER_PORT} 80<br /> RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]</code></p> <p>php_value session.cookie_secure 1<br /> </p> <p><strong>Pro:</strong> Complete solution. Simple - no extra modules required.<br /> <strong>Con:</strong> May require more expensive servers, or additional servers.</p> <h3>Which Secure Page Solution Is the Best?</h3> <p>The best solution depends on your specific site, end-users, and privacy needs. Many sites don't need to worry about HTTPS at all. Some want to keep performance up as much as possible and only care about the security of the data en-route, but aren't concerned about session-hijacking (e-commerce where the credit card is not stored). As is often the case, you must balance multiple facets when considering the right solution for your site.</p> <p>Got any other solutions? See any other pros or cons with the ideas presented here? Please let me know.</p> http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-https#comments https Planet Drupal security theater ssl Mon, 03 Aug 2009 22:35:02 +0000 greggles 25 at http://crackingdrupal.com