 |
| Cracking Drupal: A Drop In The Bucket |
About the Author
Greg James Knaddison is a dedicated Drupalista. For nearly four years
he has volunteered with the project in a variety of capacities. From
his involvement with the drupal.org site teams—documentation, site
maintainers, infrastructure, groups.drupal.org maintainers, project maintainers,
security team—to his work on several contributed modules, to
his mentorship in Google Summer of Code, to founding and organizing
the Drupal Denver/Boulder User Group, to the development news site
DrupalDashboard.com, to his role as a Community Ambassador of the
Drupal Association, Greg is involved with Drupal in almost every way he
can be. And he has a job working with Drupal sites all day. Often those
sites are related to publishing—either print media publishers or purely
digital sites. When not working with Drupal, Greg likes to go mountain
biking with his life partner and read fine publications like The Economist.
You can get all the code for this book as well as all the latest updates by
visiting his site, http://crackingdrupal.com.
Acknowledgments
The Drupal project leader Dries Buytaert deserves my utmost thanks—not
just for his work on the project but for his amazingly caring and humble
nature, which made me feel like a valued member of the community from
my first handbook edit. K´aroly N´egyesi (chx), was technical editor for this
book, keeping all my examples solid, and he has been an amazing mentor
to me in general. Numerous individuals provided ideas and feedback as I
wrote this book: Heine Deelstra, Khalid Baheyeldin, Brad Bowman, Crell
Garfield, Dario Battista Ghilardi, Ezra Barnett Gildesgame, Steve Harley,
Emma Hogbin, Mike Hostetler, Ben Jeavons, Gerhard Killesreiter, Earl
Miles, Joon Park, Stella Power, Derek Wright, and Peter Wolanin stand
out, among many others.
Jim Carpenter, the best professor I’ve had, taught me to have fun with
computers and business. Laura Ordway taught me to be a curious and
independent person and to enjoy my environment. More personally, my
friends, parents, and extended family members have provided invaluable
encouragement throughout the process of the book.
I’m indebted to you all, and only some of you will be satisfied with a
signed copy of the book. To the rest . . . can I buy you a beer?
Introduction
I hope you’ve purchased this book before having a security problem rather
than after. As I relate in Chapter 1, being the target of an attack is not a
fun situation. Especially online, attacks can be painful: The stakes are often
surprisingly high. Attackers can ruin images and text that took months to
create, blemish your reputation as a reliable site, and steal users’ private
information; the result of nearly all of these problems is ultimately the loss of money.
You got into Drupal because it helps save time andmoney: It’s a powerful
tool available for free that anyone can use to build great sites (although,
of course, there is the chance that you got into Drupal because your boss
told you to!). Does the danger of an attack mean that using Drupal will be
worse than using a homegrown solution? Fortunately, the answer is no.
By default, Drupal provides great security protection and has an API that
makes it easier for developers to avoid and eliminate security problems.
Who Should Read This Book?
This book was written with three major audiences in mind: Drupal site
admins, professional developers/themers, and IT sysadmins/security generalists.
Hopefully you identify with one of these three groups.
Drupal Site Admin
Perhaps the biggest group of people who will benefit from reading this
book is Drupal site admins. These are people who have a site or a few sites
than after. As I relate in Chapter 1, being the target of an attack is not a
fun situation. Especially online, attacks can be painful: The stakes are often
surprisingly high. Attackers can ruin images and text that took months to
create, blemish your reputation as a reliable site, and steal users’ private
information; the result of nearly all of these problems is ultimately the loss of money.
You got into Drupal because it helps save time andmoney: It’s a powerful
tool available for free that anyone can use to build great sites (although,
of course, there is the chance that you got into Drupal because your boss
told you to!). Does the danger of an attack mean that using Drupal will be
worse than using a homegrown solution? Fortunately, the answer is no.
By default, Drupal provides great security protection and has an API that
makes it easier for developers to avoid and eliminate security problems.
Who Should Read This Book?
This book was written with three major audiences in mind: Drupal site
admins, professional developers/themers, and IT sysadmins/security generalists.
Hopefully you identify with one of these three groups.
Drupal Site Admin
Perhaps the biggest group of people who will benefit from reading this
book is Drupal site admins. These are people who have a site or a few sites
that they maintain. They may know how to do a little bit of HTML, CSS,
and/or PHP but are really more comfortable using Drupal’s administrative
interface than writing code. Does that sound like you? If so, you need this
book because it will help you understand web application security and
help you know which Drupal modules you could use to protect your site.
Also, you’ll learn enough about safe coding to be able to read a module or
theme and see where the mistakes are.
This book covers some advanced programming topics, which means
you’ve got a great book in your hands: In addition to learning security,
you’ll get a free introduction to the Drupal API. If you need help getting
a Drupal site installed, see Appendix B, which includes a complete guide,
from installation to building a multilingual site. From another perspective,
some of the examples may feel a bit beyond your skill level. If you ever feel
that way, you can, of course, try rereading the example, but you can also
reach out to the community for more advice. The book provides several
lists of resources showing where you can get more help.
Professional Developer or Themer?
Drupal’s community is famous for being a group of hardcore techies, so
certainly a large number of people reading this book will be developers
and themers who write the code that runs the site. Maybe you maintain
several projects on drupal.org as well. This book will help you to recognize
security issues and use the Drupal API properly to protect your code
against those issues. You’ll also learn about the best modules you can use
to protect your websites or, more likely, your customer’s websites.
This book should be right at your level. Some of the examples may cover
things you already know, but there’s a good chance that the explanations
will enhance your knowledge of the subject. Of course, there is the slightest
chance that some of the topics will be too advanced for you. Again, please
refer to the online resources (Appendix C) to get additional help.
IT, Sysadmin, Security Expert
It’s possible that you’re one of the many people whose ‘‘normal job’’ has
nothing to do with Drupal but everything to do with providing technical
support for the business needs of an organization. Maybe you’re typically
a system administrator, a member of a company’s security team, or part
of the IT support staff. I imagine you got this book because you’ve been
told you need to roll out a Drupal site, and you want to understand the
implications for the overall security of your organization.
Much like the Drupal site admin user, this book will give you a free
introduction to Drupal, complete with how to install a site and some
glimpses of how to write code for Drupal. If you have no experience with
PHP, then you may struggle some with the examples. However, PHP
is meant to be easy to learn and is very similar to other programming
languages you may know.
Who Am I? Why Did I Write This Book?
I started using Drupal in the summer of 2005. Mycommunity needed a new
website to share information about our meetings, and I wanted to make
it a site where everyone could add information. A year and a half later,
I was enmeshed in the community wherever I could be. I was addicted
to helping make the Drupal software better, and I enjoyed learning about
new technologies and issues related to web development. After posting
a security-related item on my blog and stepping in to help out with a
vulnerability in the Pathauto module, I was invited to join the security team.
At first, my role on the team was largely related to administrative
tasks: helping track issues reported to the team, coordinating efforts by
contributed module maintainers, and confirming bugs reported to the team
or patches that would potentially be used to fix bugs. Over time I learned
to recognize security weaknesses in Drupal modules and found a few weaknesses.
In 2007 at Drupalcon Barcelona, the security team was feeling particularly
overwhelmed. We decided that we could not simply be reactive and fix
bugs as they were reported. There were simply too many bug reports
coming in for us to sustainably handle the problems. So we set about on
two proactive courses:
To improve the API so that it more consistently protects users by default
To educate our community on how to write secure code so that the
modules available on drupal.org would be more likely to be safe from the beginning
Iworked primarily on updating and writing documentation and spreading
knowledge about security at conferences and meetings.
In 2008, I was approached by Wiley to write this book and of course
leapt at the opportunity. While the documentation on drupal.org is of
high quality, a single person assisted by multiple editors in assembling a
comprehensive, coherent book can produce a better outcome (being paid
to do that work helps, too!).
What This Book Covers
By reading this book, you will learn about the most important security
issues facing a Drupal 6 website. This field doesn’t drastically differ much
from one version of Drupal to the next, and I’ve taken time to provide extra
detail around some of the changes that came from Drupal 5 and are likely
to be included in Drupal 7 (Drupal 7 is about halfway down the path to
being released as the book goes to print).
In particular, the book discusses how to avoid the most common vulnerabilities
in Drupal. The specific classes of vulnerabilities are based on
the most common problems reported in announcements from the Drupal
security team and my personal experience with code and configuration
issues witnessed over nearly four years of involvement with the project.
Parts of the Book
This book is designed to be read from cover to cover. If you are already
a web application security professional and simply need to know how to
protect Drupal, then you can skim the first chapters of the book.
Part I: Anatomy of Vulnerabilities
Part I shows you the most common vulnerabilities that you will face. In
order to protect against attacks, you first have to understand how the attack
is carried out and what impact it can have. You also learn a few items that
are explicitly not covered by this book. Part of security is knowing what
you don’t know.
Part II: Protecting against Vulnerabilities
In Part II you learn the various methods to protect your site from these
common vulnerabilities. Starting with your site configuration, you see how
a single small, bad choice by an administrator can make a site totally
vulnerable. Next you will review some of the Drupal APIs for permissions,
output filtering, and content access. The section finishes with some best
practices in server access and maintenance. Drupal is only as safe as the
underlying server.
Part III: Weaknesses in the Wild
Part III reviews weaknesses in their natural state: the wilds of the Internet.
You start by reviewing some methods for finding vulnerabilities and
figuring out how to exploit a vulnerability. Then you head straight to the
bug-reporting and -fixing process so you can help make Drupal safer.
Part IV: Appendixes
This is bonus material that includes a function reference and a glossary
of terms. Also, author and Drupal expert Victor Kane provides you with
step-by-step instructions on installing Drupal 6 and using it to create a multilingual site.
What Is Needed for This Book
This book is written to be valuable if read in isolation, but you are likely
to learn more and understand the problems better if you have a few tools
at hand to explore along with the book. From most important to least
important, you should have these tools available:
Drupal version 6.x, though 5.x and 7.x may be more appropriate
depending on the version you use on your server.
The software stack to run Drupal, most commonly Apache, MySQL,
and PHP. See Appendix B for more details on installing these.
Since this book uses an example module that creates vulnerabilities
in your site, you should be set up to run Drupal on a system
that is separated from the Internet at large, such as a laptop or
server inside a private network and with its own firewall.
A text editor or integrated development environment (IDE) to
be able to view and edit code files. If you need a basic editor,
jEdit is a nice choice, while Eclipse PDT provides a good IDE. See
http://www.jedit.org and http://www.eclipse.org/pdt for downloads.
Command-line applications like ls, grep, and cvs. These are
often included by default on Linux and Mac OS X and are also
available via tools like Cygwin http://www.cygwin.com.
Some chapters may require additional software—Chapter 8 in particular
uses the separate Grendel-Scan, which relies on Java 1.6+—but it is less
important than these fundamental pieces of software.
Table of Contents
Introduction xiv
Part I Anatomy of Vulnerabilities 1
Chapter 1 That Horrible Sinking Feeling 3
Avoiding That Sinking Feeling 4
It’s Up to You 4
What Is Web Application Security? 5
Security Is a Balance 5
CommonWays Drupal Gets Cracked 5
Authentication, Authorization, and Sessions 6
Command Execution: SQL Injection and Friends 12
Cross-Site Scripting 16
Cross-Site Request Forgery 17
The Big Scary World 19
The Most Common Vulnerabilities 19
Summary 20
Chapter 2 Security Principles and Vulnerabilities outside Drupal 21
Server and Network Vulnerabilities 22
Weaknesses across the Stack 22
Denial of Service—Generic and Specific 23
Defense in Depth 23
Web Server File System Permissions 24
Least Privilege—Minimum Permissions for the Task 25
Least Privilege for Database Accounts 25
Social and Physical Vulnerabilities 26
The Vendor Password Please? 26
This Is IT; Can I Help? 27
Let’s Get Physical 28
Sanitizing a Typical Drupal Database 28
Summary 29
Part II Protecting against Vulnerabilities 31
Chapter 3 Protecting Your Site with Configuration 33
Stay Current with Code Updates 33
Staying Informed about Code Updates 34
Updating Your Site’s Code 36
Know Your Attack Surface 38
Best Practices for Contributed Modules 38
Performing a Quick Security Scan 40
Using Extra Security Modules 40
Login and Session-Related Modules 41
Password-Related Modules 42
Visitor Analysis 44
Smart Configuration of Core 45
User Permissions 45
Input Formats and Filters 45
Summary 48
Chapter 4 Drupal’s User and Permissions System 49
Using the API 49
What Are Hooks, Form Handlers, and Overrides? 51
Defining Permissions: hook_perm 52
Checking Permission: user_access and Friends 53
Menu Callback Permissions 54
Input Format Access: filter_access 56
Common Mistakes with Users and Permissions 57
Insufficient or Incorrect Menu Access 57
Overloading a Permission 58
Access Definitely Denied 58
Acting as Another User—and Getting Stuck 59
Summary 61
Chapter 5 Dangerous Input, Cleaning Output 63
Database Sanitizing: db_query and Friends 63
Queries for Drupal 6.x and Earlier 64
Improper Use of db_query 65
Queries for Drupal 7.x and Newer 66
Translation and Sanitizing: t 67
Improper Use of t 68
Linking to Content: l and url 69
The Form API 70
Semantic Protection: Invalid Form Data 71
Form API: Sanitizing Options and Labels 73
Filtering Content: check_plain, check_markup,
filter_xss_admin 74
Escaping Everything: check_plain 75
Filtering HTML-Formatted Code: check_markup 77
Basic Filtering for Admins: filter_xss_admin 77
Summary 78
Chapter 6 Safety in the Theme 79
Quick Introduction to Theming in Drupal 79
Overridable Templates and Functions 80
Providing Variables for Templates 82
Common Mistakes 83
Printing Raw Node Data 83
Best Practice: Filter Data Prior to Using Templates 86
Summary 88
Chapter 7 The Drupal Access System 89
Respecting the Access System 90
Modifying Queries for Access: db_rewrite_sql 90
Testing Access for a Single Node: node_access 92
Case Study: Private Module 93
Node Access Storage Explained 93
Summary 97
Chapter 8 Automated Security Testing 99
Test Drupal with Drupal: Coder Module 100
More Testing Drupal with Drupal Security Scanner 102
Testing Drupal with Grendel-Scan 105
Summary 107
Part III Weaknesses in the Wild 109
Chapter 9 Finding, Exploiting, and Avoiding Vulnerabilities 111
Strategies to Crack Drupal 112
Searching Core and Contrib for Vulnerabilities 112
Using Grep to Search for Common Mistakes 112
Finding Sites Vulnerable to the Stock Weakness 115
Finding Vulnerabilities by Happenstance 116
Exploiting the Talk Module XSS Vulnerability 120
How to Report Vulnerabilities 123
Summary 124
Chapter 10 Un-Cracking Drupal 127
Step 1: Secure the Menu 128
Step 2: Secure the User Search 130
Step 3: Secure the Node List 131
Step 4: Disable Users Safely 133
Drupal Un-cracked 134
Part IV Appendixes 135
Appendix A Function Reference 137
Text-Filtering Functions 137
Link and URL Building Functions 139
Users and Permissions 142
Database Interaction 144
Appendix B Installing and Using Drupal 6 Fresh out of the Box 147
Step 1: Installing Drupal—Easier Than Ever Before 149
Downloading Drupal 150
Unzipping and Preparing Files for Upload 150
Uploading Files 150
Creating the Database and User for the Drupal
Installation 151
Running the Drupal Installation Wizard 151
Alternate Method: Managing Drupal with CVS 155
Updating Drupal Core and Running the Update
Script 156
Step 2: Designing and Building the Architecture 158
Application Scope and Domain 158
Creating Roles and Users 160
Installing and Enabling Modules 161
Making the Site Bilingual 162
Step 3: Creating the Business Objects 167
Step 4: Creating the Workflows 172
Implementing the RegistrationWorkflow 172
Implementing the Client’s Workflow 177
Implementing the Translator Team Leader’s
Workflow 184
Implementing the Translator’s Workflow 188
Installing the Vulnerable.module 195
Summary 196
Appendix C Leveraging Community Resources 197
Resources from the Drupal Security Team 197
General Security Resources 199
PHP.net 199
OWASP 199
Google Code University 200
Heine Deelstra 200
Groups.Drupal.org 201
Robert Hansen—rsnake 201
Bruce Schneier 201
CrackingDrupal.com 202
Summary 202
Glossary 203
Index 213
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 242 p |
File Size
|
10,200 KB |
File Type
|
PDF format |
ISBN
| 978-0-470-42903-7 |
Copyright
| 2009 by Wiley Publishing, Inc |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
