-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmichigan.html
446 lines (407 loc) · 18.4 KB
/
michigan.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title>Michigan Drupal Camp 2015</title>
<meta name="apple-mobile-web-app-capable" content="yes"/>
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/night.css" id="theme">
<link rel="stylesheet" href="customcss/css/screen.css">
<link rel="stylesheet" href="lib/css/zenburn.css">
</head>
<body>
<div class="reveal">
<div class="slides">
<section>
<h2>Drupal SA05 aka drupalgeddon </h2><h2>and other Drupal Security related topics</h2>
<h3>Michael Hess</h3>
</section>
<section>
<h2>Michael Hess</h2>
<p>
Current Drupal Security Team Lead.
</p>
<p>
Solutions architect lead at the University of Michigan.
</p>
<p>
Supports around 900 Drupal sites at the University.
</p>
<p>
Supports around 500 sites not related to the University.
</p>
<h6><a href="https://twitter.com/mlh407">Twitter: @mlh407</a></h6>
<aside class="notes">
9 years in Drupal
5 years on the secteam
build/consult on around 100 sites yearly
drupal 4.6(ish)
</aside>
</section>
<section>
<h2>Agenda</h2>
<p>Overview of Drupal security and the Drupal security team</p>
<p>Overview of SA05/Drupalgeddon</p>
<p>Overview of best practices</p>
</section>
<section>
<h2>Do You Brush Your Teeth Daily?</h2>
<p>Please text: 734-821-5212</p>
<table class="answertable sticky-enabled">
<thead><tr><th>Answer Choice</th><th>Text Code:</th> </tr></thead>
<tbody>
<tr class="odd"><td>Yes</td><td>4483</td> </tr>
<tr class="even"><td>No</td><td>2983</td> </tr>
<tr class="odd"><td>I don't have any. </td><td>6276</td> </tr>
</tbody>
</table>
<h6> We will discuss this later.</h6>
</section>
<section>
<h2> Security in Drupal</h2>
<p class="fragment">Drupal has a dedicated Security Team of 42 people around the world. </p>
<p class="fragment">The Security Team is a volunteer group. </p>
<p class="fragment">We:</p>
<ul class="fragment">
<li>Resolve reported security issues in a Security Advisory</li>
<li>Provide assistance for contributed module maintainers in resolving security issues</li>
<li>Provide documentation on how to write secure code</li>
<li>Provide documentation on securing your site</li>
<li>Help the infrastructure team to keep the drupal.org infrastructure secure</li>
</ul>
</section>
<section>
<h2>Security Process</h2>
<ol>
<li>A vulnerability is discovered in code.</li>
<li>An issue is reported to the security team.</li>
<li>An issue is confirmed to be valid in a supported release eligible for an SA.</li>
<li> The security team and the maintainer of the code fix the issue.</li>
<li>A Security Advisory is written and the fix is published. Notifications about the issue go out via
Twitter/RSS/email.
</li>
</ol>
<h3>Subscribe to the Security Team newsletter via "my newsletter" under edit on www.drupal.org/user.</h3>
</section>
<!--
<section>
<h2> Do you already subscribe to the Security Team's newsletter/SA's?</h2>
<p>Please text: 734-821-5212</p>
<iframe src="https://respconf.sites.uofmhosting.net/node/76/graph" width="100%"></iframe>
<table class="answertable sticky-enabled" >
<thead>
<tr>
<th>Answer Choice</th>
<th>Code to text</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Yes</td>
<td>2177</td>
</tr>
<tr class="even">
<td>No</td>
<td>1819</td>
</tr>
<tr class="odd">
<td>I read them on Twitter</td>
<td>4729</td>
</tr>
<tr class="even">
<td>I do now</td>
<td>3913</td>
</tr>
</tbody>
</table>
</section>
-->
<section cite="https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013">
<h3>Common Web Vulnerabilities</h3>
<h4>From Open Web Application Security Project</h4>
<ol>
<li>Injection such as SQL, OS, and LDAP injection.</li>
<li>Broken Authentication and Session Management.</li>
<li>Cross-Site Scripting (XSS).</li>
<li>Insecure Direct Object References.</li>
<li>Security Misconfiguration.</li>
<li>Sensitive Data Exposure.</li>
<li>Missing Function Level Access Control (access bypass).</li>
<li>Cross-Site Request Forgery.</li>
<li>Using Components with Known Vulnerabilities.</li>
<li>Unvalidated Redirects and Forwards.</li>
</ol>
</section>
<section>
<h2>Using Components with Known Vulnerabilities</h2>
<p>Do you use third-party libraries?</p>
</section>
<section>
<h2> Common Drupal Vulnerabilities from 2014</h2>
<img src="images/michigan/vulns-2014">
<ol>
<li>61 - Cross Site Scripting.</li>
<li>42 - Access Bypass.</li>
<li>13- Information Disclosure.</li>
<li>4 - Cross-Site Request Forgery.</li>
</ol>
</section>
<section>
<h2> SA05/drupalgeddon</h2>
</section>
<section id="fragments">
<h3>Was a site you work on compromised by SA05/drupalgeddon?</h3>
<p>Please text: 734-821-5212</p>
<table class="answertable sticky-enabled">
<thead>
<tr>
<th>Answer Choice</th>
<th>Text Code:</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Yes</td>
<td>9361</td>
</tr>
<tr class="even">
<td>No</td>
<td>8617</td>
</tr>
<tr class="odd">
<td>Unsure</td>
<td>5821</td>
</tr>
</tbody>
</table>
</section>
<section>
<h3>Was a site you work on compromised by SA05/drupalgeddon?</h3>
<p class="fragment">
<iframe src="https://respconf.sites.uofmhosting.net/node/75/graph" width="100%" height="900px"></iframe>
</p>
</section>
<section>
<h2> What is SQL Injection?</h2>
<blockquote cite="https://www.owasp.org/index.php/SQL_Injection" class="long">
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the
client to the application. A successful SQL injection exploit can read sensitive data from the database,
modify database data (Insert/Update/Delete), execute administration operations on the database (such as
shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some
cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in
which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL
commands.
</blockquote>
</section>
<section>
<h2> So?</h2>
<p>SQL injection lets an attacker have the same access to your database that Drupal has. </p>
<p class="fragment">Allows an attacker to add a user and modify users' roles. </p>
<p class="fragment">Allows an attacker to change passwords and email addresses. </p>
<p class="fragment">Allows an attacker to update URL's to payment pages. </p>
<p class="fragment">Allows an attacker to change content. </p>
<p class="fragment">Anything that can be done via the web interface, an attacker can do.</p>
</section>
<section>
<h2> SQL Injection is Easy to Exploit</h2>
<p> Most of the time SQL injection is easy to exploit.</p>
<p>Other vulnerabilities may require different actors to engage in actions timed correctly.</p>
<p> SQL injection can be exploited most of the time, by just an attacker.</p>
</section>
<section>
<h2>Drupal's Database API</h2>
<p>When used correctly, the database API prevents SQL injection. </p>
<p class="fragment">In the case of SA05/drupalgeddon, the database API is where the vulnerability was.</p>
<p class="fragment">Oh, the irony.</p>
</section>
<section>
<h2>The patch</h2>
<pre>
<code data-trim contenteditable>
- foreach ($data as $i => $value) {
+ foreach (array_values($data) as $i => $value) {
</code>
</pre>
</section>
<!-- <section>
<h2>For non-coders:</h2>
<p> The value of a form field was sanitized to prevent SQL injection, but the field name was not. </p>
</section>-->
<section>
<h2>Common Attack Patterns</h2>
<p>Changing password or email address on uid=1.</p>
<p>Adding files to the file system via the menu_router table and file_put_contents.</p>
<p>Adding a user and giving that user admin access.</p>
<p>Installing a PHP backdoor by enabling the PHP module and creating a node with PHP in it.</p>
<p>Patching the vulnerability</p>
<p>Many, many more ...</p>
</section>
<section>
<h2> Code Examples</h2>
<h4>From Acquia</h4>
<p> <pre class="fragment">
<code data-trim contenteditable>
update users set name='admin' , pass = '$S$CTo
9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g' where uid = '1';
</code>
</pre>
</p>
<p> <pre class="fragment">
<code data-trim contenteditable>
set @a=(SELECT MAX(uid) FROM users)+1;INSERT IN
TO users set uid=@a,status=1,name='n0n0x' , pass = '$S$CTo9G7Lx2jmHrpHDdKDR0R8X/
q4H9PXo02REYap3z2t8UE3F0DfC';INSERT INTO users_roles set uid=@a,rid=3;
</code>
</pre>
</p>
<p> <pre class="fragment">
<code data-trim contenteditable>
update {users} set mail='[EMAIL_ADDRESS]' where uid=1;
</code>
</pre>
</p>
<p> <pre class="fragment">
<code data-trim contenteditable>
INSERT INTO `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`, `access_callback`, `access_arguments`)
VALUES ('mziogj', '', '', 'mziogj', 'file_put_contents',’[TROJAN]’);
</code>
</pre>
</p>
</section>
<section>
<h2>
Example:
</h2>
<p>Please be respectful and don't exploit this server while I am doing the demo.</p>
<p class="fragment">I will leave the server up this weekend, for educational purposes. Do not engage in illegal activities. </p>
<aside class="notes">
http://demo-1774628101.us-east-1.elb.amazonaws.com/<br>
ec2-54-152-44-98.compute-1.amazonaws.com<br>
avc
</aside>
</section>
<section>
<h2>Some Perspective</h2>
<p> This was a major vulnerability, but let's keep in mind that the last major issue was over 7 years ago. </p>
<p> This code has been in Drupal since Drupal 7 Beta's. </p>
<p>Nothing is 100% sure, and nothing ever will be. We mitigate risk by using best practices.</p>
</section>
<section>
<h2> Best Practices</h2>
</section>
<section>
<h2>Do You Brush Your Teeth Daily?</h2>
<iframe src="https://respconf.sites.uofmhosting.net/node/77/graph" width="100%" height="900px"></iframe>
</section>
<section>
<h4>Brushing your teeth is a best practice.</h4>
<p>For security, you can't check a list and be done.</p>
<p>You must keep working at it. It is a process, not a one-time task.</p>
<p class="fragment"> Which is why I hope everyone brushes their teeth. </p>
<img class="fragment" src="images/michigan/badmouth.jpg" width="60%">
</section>
<section>
<h2>Some Best Practices</h2>
<p>Only use encrypted protocols.</p>
<p>https/ftps/ssh/etc</p>
<p> Every change you make might impact the security of your site. Therefore, security needs to be in your workflow.</p>
<p>Use supported versions (Soon time to update Drupal 6)</p>
<p><b>Take and verify backups.</b></p>
</section>
<section>
<h1>Keep Your Site Updated</h1>
<p>Always make sure you update after a security release comes out. </p>
</section>
<section>
<h2>Know Your Risk Level</h2>
<p>
Blog vs. complex site. Your blog is likely to be compromised to send spam or to act in part of a bot net.
</p>
<p> Your complex site might be compromised for the data it has. </p>
<p> Security is a balance.</p>
<P> Is your site a target?</P>
</section>
<section>
<h2>Regulations</h2>
<h3>PCI, HIPAA, SCADA, XYZ, PDQ</h3>
<p>You might have legal requirements imposed by the data you keep.</p>
</section>
<section>
<h2>Do Not Use insecure hosting</h2>
<p> Use a dedicated Drupal hosting provider. </p>
<p> Shared hosting normally runs the webserver as the owner of the file system (cpanel). </p>
<p> Multiple sites on a server often use a common account for all sites. (www-data, nobody, etc) </p>
</section>
<section>
<h2>Do Not Use Multisite</h2>
<p>Unless you have a deep understanding of apache/nginx and file permissions, multisite is insecure. </p>
</section>
<section>
<h2>Use a Module that Enhances Security in Your Site</h2>
<p>Paranoia: Locks your site down.</p>
<p>Security Review: Runs a checklist of items and confirms your site adheres to them.</p>
<p>Permissions Lock: Finer-grained permissions over what users with 'administer permissions' can do. </p>
<p>Two-Factor Authentication: Something you know, and something you have.</p>
<p>Hacked! Tells if code has been changed.</p>
<p>Password Policy: Enforces strong passwords.</p>
</section>
<section>
<h3> Other Security Vulnerabilities</h3>
<p>While XSS/CSRF/access bypass may be harder to mass attack, but an attacker can still compromise a site with them.
The security team releases SA's on Wednesdays, set time aside to update your sites (or pay someoene to do it for you). </p>
<img class="fragment" src="images/michigan/filtering_text.png">
<p class="fragment"> Details on these vulnerabilities are outside the scope of this talk. </p>
</section>
<section>
<h1>Questions?</h1>
<p>Thank you for your time!</p>
</section>
</div>
</div>
<script src="lib/js/head.min.js"></script>
<script src="js/reveal.js"></script>
<script>
// Full list of configuration options available at:
// https://github.com/hakimel/reveal.js#configuration
Reveal.initialize({
controls: true,
progress: true,
history: true,
center: true,
transition: 'fade', // none/fade/slide/convex/concave/zoom
// Optional reveal.js plugins
dependencies: [
{
src: 'lib/js/classList.js', condition: function () {
return !document.body.classList;
}
},
{
src: 'plugin/markdown/marked.js', condition: function () {
return !!document.querySelector('[data-markdown]');
}
},
{
src: 'plugin/markdown/markdown.js', condition: function () {
return !!document.querySelector('[data-markdown]');
}
},
{
src: 'plugin/highlight/highlight.js', async: true, condition: function () {
return !!document.querySelector('pre code');
}, callback: function () {
hljs.initHighlightingOnLoad();
}
},
{src: 'plugin/zoom-js/zoom.js', async: true},
{src: 'plugin/notes/notes.js', async: true}
]
});
</script>
<!--
Some content taken from greggles and scor's presentation at DrupalCon Austin.
-->
</body>
</html>