A Note on Drupal Security

Abstract Image

A question commonly raised by clients is one of Drupal maintenance, oftentimes along the lines of ...’why does maintenance need to be done?’ The question invariably has its root in lack of understanding as to what Drupal is in the context of the real issue of internet security.

The article below will hopefully clarify why keeping your Durpal installation up to date with core and contributed module updates is now mandatory.

Internet Security is a Real Concern

Internet security is a real concern. It is a reality that new flaws are being discovered and attack methods are constantly being refined. Internet security is an ever moving target.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. The OWASP mission is to make software security visible, so that individuals and organizations are able to make informed decisions.

OWASP monitors security concerns and publishes a top 10 list. The list represents the most common and important vulnerabilities. OWASP raises security aspects by identifying some of the most critical risks facing organizations. This Top 10 will continue to change. Even without changing a single line of application’s code, you may become vulnerable as new flaws are discovered and attack methods are refined.

It is important then that internet websites and applications maintain a strong security protocol that includes updating core and contributed modules.

Drupal - a Proven System

Drupal is a proven, secure CMP (content management platform) and application development framework that stands up to the most critical internet vulnerabilities.

“A dedicated security team, along with a large professional service provider ecosystem, and one of the largest developer communities in the world ensure rapid response to issues. Many security problems are prevented entirely by Drupal’s strong coding standards and rigorous community code review process.”

The Drupal security process:

  • validate and respond to security issues;
  • report issues confidentially;
  • coordinates with core and contributed module maintainers to prepare and release fixes;
  • fixes problems and publishes advisories that explain vulnerabilities and how to fix them.
Example of a security notice
-------- DESCRIPTION---------------------------------------------------------
There will be multiple releases of Drupal contributed modules
on Wednesday July 13th 2016 16:00 UTC that will fix
highly critical remote code execution vulnerabilities
(risk scores up to 22/25 [2]). The Drupal Security Team urges
you to reserve time for module updates at that time because
exploits are expected to be developed within hours/days.
Release announcements will appear at the standard
announcement locations. [3]

Website Security and your Hosting Porvider

Web hosting providers normally have strict security, anti-spam and usage policies. Normally a requirement exits to keep websites up to date with security releases so as to not compromise the network and other sites on the server.

In the managed dedicated server or shared hosting environments, servers are maintained by the provider’s team who periodically perform operating system (LINUX), web server (Apache) and services updates such as PHP (scripting language) and MySql (Database server). These are done at their discretion to keep the servers current and is beyond our control. These updates do not normally impact the website however do influence the process of keeping the Drupal technology compatible with the underlying technology.

OWASP Top 10

We will discuss briefly the OWASP top 10 and how Drupal deals with them.

1. Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Drupal: Drupal contains a robust object-oriented database API that makes it difficult for developers to unknowingly create injection holes by automatically sanitizing query parameters and enforcing an interface. Drupal’s file system interaction layer limits where files can be written and alters dangerous file extensions that the server could potentially execute.

2. Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

Drupal: User accounts and authentication are managed by Drupal core. Authentication cookies and a user’s name, ID, and password are managed on the server to prevent a user from easily escalating authorization. User passwords are salted and hashed using an algorithm based on the Portable PHP Password Hashing Framework and existing sessions are destroyed upon login and logout.

3. Cross Site Scripting - XSS

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Drupal: Drupal has a strong system for filtering user-generated content on display. Untrusted user’s content is filtered to remove dangerous elements by default. For developers, Drupal has at least eight API functions for filtering output to prevent XSS attacks. When identified, common developer errors that lead to XSS vulnerabilities are mitigated by building safer defaults. For example, a page title function in Drupal 6 is the source of many XSS holes due to a lack of proper escaping. In Drupal 7 this function escapes output by default.

4.  Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Drupal: Drupal often provides direct object reference, such as unique numeric identifiers of user accounts or content available in the URL or form fields. While these identifiers disclose direct system information, Drupal’s rich permissions and access control system prevent unauthorized requests. Methods for obfuscation are available through configuration and community-contributed code. Further, validation and protection against semantic forgery attacks is implemented in Drupal core via the Form API.

5. Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

Drupal: Many critical risks, such as access to administrative site controls, text formats, and private information are restricted to a single admin account by default. Identified design inefficiencies that lead to misconfiguration are corrected often through usability testing and fixes are recommended for inclusion to core. Documentation of best practices for secure configuration and site building are provided for free on drupal.org and there are several contributed projects that conduct automated security review or implement further secure configurations.

6. Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

Drupal: Account passwords are salted and repeatedly hashed based on the Portable PHP Password Hashing Framework. Available Drupal community-contributed code offer solutions to encrypt sensitive data at rest or in transit.

7. Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization

Drupal: Function level access in Drupal is protected by a powerful permission-based system which checks for proper authorization before the action is taken. For the case of URL access, access checking is tightly-integrated into the entire menu-rendering and routing system which means that visibility of navigation links and pages are protected by the same system that handles incoming requests.

8. Cross Site Request Forgery - CSRF

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Drupal: Drupal validates user intention in actions using industry standard techniques. Typical actions with side-effects (such as actions that delete database objects) are generally conducted with the HTTP POST method. Drupal’s Form API implements unique form tokens to protect against CSRF in POST requests. Less important actions can leverage the one-time token generation and validation functions of the Form API while still using an HTTP GET request.

9. Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

Drupal: Included libraries and frameworks (of which there are few) in Drupal core are system-level, unsophisticated, and of low risk to full server or application compromise.

10. Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Drupal: Internal page redirects cannot be used to circumvent Drupal’s integrated menu and access control system. Drupal protects against automatic redirection to off-site URLs which could be used in a phishing attack.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.