Preventing exploits in Drupal

Question

Is there a good resource or list of known fixes for exploits in Drupal (including common modules) that I can use to close up holes in my sites?

I'm using 6.19 on all my sites, as well as making sure that any security updates for modules are installed immediately. Is there anything else I can realistically do? (Such as restricting access to all "/admin" urls to a certain set of IP addresses etc)

I know about the obvious bits, such as filtering user input on forms etc, but I'm wondering if there are other pitfalls I need to worry about...

Answer 1

Just all the common PHP security. In fact, just the top 10 as published by OWASP. However, Drupal acts as a web-application framework, a little here too.

• If you develop your own Drupal modules, make sure to adhere to writing secure code
• If you use only contributed modules, you should a) make sure to subscribe to Drupal's security mailing list, and b) upgrade your code all the time, and c) optionally, manuall scanning of all used modules with "writing secure code", mentioned above.

Drupal has security models and layers in place for all top10 OWASP issues. Allthough A6 (configuration) can go wrong. You will need to understand what you are doing and need to read the online help in Drupals admin in detail. You might open up security holes easily by changing settings, without knowing what they do exactly. For example: I have seen many Drupal sites that switch the default "input format" to e.g. Full HTML, because they think that helps editors, not realising that this makes this format the filter for all content, including comments. Opening up XSS-posting all over the place. Drupals online help mentions this, but people often don't read that :)

Another thing to realise, is that Drupal does not scan code upfront. People must read trough code, and report found security issues, before they are dealt with. If you run many thrid party modules, you can be almost assured at least one of them will have a security hole in them. If you want to avoid that, you must scan yourself, or else avoid such modules alltogether.

Answer 2

Drupal its self is pretty secure, however its modules are not. You are most likely to be hacked by modifying your default Drupal install.

That being said you should install a Web Application Firewall. Make sure php is configured correctly with PHPSecInfo and lock down MySQL. (FILE privilege is the worst privilege you can give to a web application)

Answer 3

Considering you use Drupal core and few most popular modules, it is pretty secure. Still, you need to remember few things:

1. If you use Drupal 6 core module Upload and allow users to upload files, make sure you removed "txt" from allowed file extensions. It can be used to exploit Internet Explorer MIME sniffer bug, leading to XSS/HTMLi. I was writing about it some time ago.
2. If you care about Clickjacking, you can try SafeClick module.
3. If you use Views module, do not use Exposed Filters (tssss, I shouldn't be talking about this)
4. Drupal isn't the one thing to secure. Make sure your web server is hardened.

Answer 4

Here is a book on the topic of Drupal security:

http://www.amazon.com/Cracking-Drupal-Bucket-Greg-Knaddison/dp/0470429038