GVS is now part of Acquia. Acquia logo

Security Review module and securing your Drupal site

Ben's picture

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

  • Insecure file system permissions
  • Insecure input formats
  • Dangerous code in nodes and comments
  • Printed errors
  • Private files directory not set outside the web root
  • Dangerous allowed upload extensions
  • Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!

Comments

Ben, awesome module! A great

Ben, awesome module! A great compliment to go with Cracking Drupal. I just ran a test by marking the authenticated user as untrusted and granted html tag permissions and the module caught the issue. Changed some files to writable and it caught that too. I'll definitely use and highly recommend this module for every Drupal site.

An example of this is how

An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

Either you know something that I don't, or this is a typo. For example the blockquote above is a completely harmless HTML tag.

P.S. The email field label in the comment form is white text on a white background.

dalin, by "any HTML tag" I

dalin, by "any HTML tag" I mean that you've configured Drupal to not filter the input of anonymous, untrusted users. If there is no tag filtering then I can write some Javascript that will be executed when anyone views my comment. This is the problem. You can read more about input formats on the Security Team leader's blog at http://heine.familiedeelstra.com/input-formats-beware

Added a mention of this

Added a mention of this module to the overview of the security section in the Drupal admin guide. http://drupal.org/security/secure-configuration This section of the guide (actually the entire admin guide) needs a lot of love, so if any security-minded drupalistas want to help fix it up, it would be really appreciated.

Great module! I had an idea a

Great module! I had an idea a while back to approach this from a slightly different route, however, with your approach I think this would be an extension.

Essentially using the SimpleTest crawler to crawl an existing Drupal site and injecting JavaScript/malicious code into any text box to see if it gets rendered on page load.

A bit harder than just that, but I think that would be invaluable tool & extension to this module, since we all know very well that a theme can open up a whole new set of vulnerabilities.

That is a great idea, Ted,

That is a great idea, Ted, and such that it's already been started (though it could use some help). Check out the security scanner for simpletest at Security Scanner for Drupal

GVS projects

The Hyperlocal News installation profile is an "internal project" for some of the folks at GVS. Profiles are ways to bundle together Drupal, some contributed modules, and the configuration necessary to make the site actually do something cool. Users are presented with an wizard that sets up...

GVS is now part of Acquia.

Acquia logo

Contact Acquia if you are interested in a Drupal Support or help with any products GVS offered such as the Conference Organizing Distribution (COD).

We Wrote the Book On Drupal Security:

Cracking Drupal Book Cover