Introduction
I hope you've purchased this book before having a security problem rather than after. As I relate in Chapter 1, being the target of an attack is not a fun situation. Especially online, attacks can be painful: The stakes are often surprisingly high. Attackers can ruin images and text that took months to create, blemish your reputation as a reliable site, and steal users' private information; the result of nearly all of these problems is ultimately the loss of money.
You got into Drupal because it helps save time and money: It's a powerful tool available for free that anyone can use to build great sites (although, of course, there is the chance that you got into Drupal because your boss told you to!). Does the danger of an attack mean that using Drupal will be worse than using a homegrown solution? Fortunately, the answer is no. By default, Drupal provides great security protection and has an API that makes it easier for developers to avoid and eliminate security problems.
Who Should Read This Book?
This book was written with three major audiences in mind: Drupal site admins, professional developers/themers, and IT sysadmins/security generalists. Hopefully you identify with one of these three groups.
Drupal Site Admin
Perhaps the biggest group of people who will benefit from reading this book is Drupal site admins. These are people who have a site or a few sites that they maintain. They may know how to do a little bit of HTML, CSS, and/or PHP but are really more comfortable using Drupal's administrative interface than writing code. Does that sound like you? If so, you need this book because it will help you understand web application security and help you know which Drupal modules you could use to protect your site. Also, you'll learn enough about safe coding to be able to read a module or theme and see where the mistakes are.
This book covers some advanced programming topics, which means you've got a great book in your hands: In addition to learning security, you'll get a free introduction to the Drupal API. If you need help getting a Drupal site installed, see Appendix B, which includes a complete guide, from installation to building a multilingual site. From another perspective, some of the examples may feel a bit beyond your skill level. If you ever feel that way, you can, of course, try rereading the example, but you can also reach out to the community for more advice. The book provides several lists of resources showing where you can get more help.
Professional Developer or Themer?
Drupal's community is famous for being a group of hardcore techies, so certainly a large number of people reading this book will be developers and themers who write the code that runs the site. Maybe you maintain several projects on drupal.org as well. This book will help you to recognize security issues and use the Drupal API properly to protect your code against those issues. You'll also learn about the best modules you can use to protect your websites or, more likely, your customer's websites.
This book should be right at your level. Some of the examples may cover things you already know, but there's a good chance that the explanations will enhance your knowledge of the subject. Of course, there is the slightest chance that some of the topics will be too advanced for you. Again, please refer to the online resources (Appendix C) to get additional help.
IT, Sysadmin, Security Expert
It's possible that you're one of the many people whose "normal job" has nothing to do with Drupal but everything to do with providing technical support for the business needs of an organization. Maybe you're typically a system administrator, a member of a company's security team, or part of the IT support staff. I imagine you got this book because you've been told you need to roll out a Drupal site, and you want to understand the implications for the overall security of your organization.
Much like the Drupal site admin user, this book will give you a free introduction to Drupal, complete with how to install a site and some glimpses of how to write code for Drupal. If you have no experience with PHP, then you may struggle some with the examples. However, PHP is meant to be easy to learn and is very similar to other programming languages you may know.
Who Am I? Why Did I Write This Book?
I started using Drupal in the summer of 2005. My community needed a new website to share information about our meetings, and I wanted to make it a site where everyone could add information. A year and a half later, I was enmeshed in the community wherever I could be. I was addicted to helping make the Drupal software better, and I enjoyed learning about new technologies and issues related to web development. After posting a security-related item on my blog and stepping in to help out with a vulnerability in the Pathauto module, I was invited to join the security team.
At first, my role on the team was largely related to administrative tasks: helping track issues reported to the team, coordinating efforts by contributed module maintainers, and confirming bugs reported to the team or patches that would potentially be used to fix bugs. Over time I learned to recognize security weaknesses in Drupal modules and found a few weaknesses.
In 2007 at Drupalcon Barcelona, the security team was feeling particularly overwhelmed. We decided that we could not simply be reactive and fix bugs as they were reported. There were simply too many bug reports coming in for us to sustainably handle the problems. So we set about on two proactive courses:
To improve the API so that it more consistently protects users by default
To educate our community on how to write secure code so that the modules available on drupal.org would be more likely to be safe from the beginning
I worked primarily on updating and writing documentation and spreading knowledge about security at conferences and meetings.
In 2008, I was approached by Wiley to write this book and of course leapt at the opportunity. While the documentation on drupal.org is of high quality, a single person assisted by multiple editors in assembling a comprehensive, coherent book can produce a better outcome (being paid to do that work helps, too!).
What This Book Covers
By reading this book, you will learn about the most important security issues facing a Drupal 6 website. This field doesn't drastically differ much from one version of Drupal to the next, and I've taken time to provide extra detail around some of the changes that came from Drupal 5 and are likely to be included in Drupal 7 (Drupal 7 is about halfway down the path to being released as the book goes to print).
In particular, the book discusses how to avoid the most common vulnerabilities in Drupal. The specific classes of vulnerabilities are based on the most common problems reported in announcements from the Drupal security team and my personal experience with code and configuration issues witnessed over nearly four years of involvement with the project.
Parts of the Book
This book is designed to be read from cover to cover. If you are already a web application security professional and simply need to know how to protect Drupal, then you can skim the first chapters of the book.
Part I: Anatomy of Vulnerabilities
Part I shows you the most common vulnerabilities that you will face. In order to protect against attacks, you first have to understand how the attack is carried out and what impact it can have. You also learn a few items that are explicitly not covered by this book. Part of security is knowing what you don't know.
Part II: Protecting against Vulnerabilities
In Part II you learn the various methods to protect your site from these common vulnerabilities. Starting with your site configuration, you see how a single small, bad choice by an administrator can make a site totally vulnerable. Next you will review some of the Drupal APIs for permissions, output filtering, and content access. The section finishes with some best practices in server access and maintenance. Drupal is only as safe as the underlying server.
Part III: Weaknesses in the Wild
Part III reviews weaknesses in their natural state: the wilds of the Internet. You start by reviewing some methods for finding vulnerabilities and figuring out how to exploit a vulnerability. Then you head straight to the bug-reporting and -fixing process so you can help make Drupal safer.
Part IV: Appendixes
This is bonus material that includes a function reference and a glossary of terms. Also, author and Drupal expert Victor Kane provides you with step-by-step instructions on installing Drupal 6 and using it to create a multilingual site.
What Is Needed for This Book
This book is written to be valuable if read in isolation, but you are likely to learn more and understand the problems better if you have a few tools at hand to explore along with the book. From most important to least important, you should have these tools available:
Drupal version 6.x, though 5.x and 7.x may be more appropriate depending on the version you use on your server.
The software stack to run Drupal, most commonly Apache, MySQL, and PHP. See Appendix B for more details on installing these. Since this book uses an example module that creates vulnerabilities in your site, you should be set up to run Drupal on a system that is separated from the Internet at large, such as a laptop or server inside a private network and with its own firewall.
A text editor or integrated development environment (IDE) to be able to view and edit code files. If you need a basic editor, jEdit is a nice choice, while Eclipse PDT provides a good IDE. See http://www.jedit.org and http://www.eclipse.org/pdt for downloads.
Command-line applications like ls, grep, and cvs. These are often included by default on Linux and Mac OS X and are also available via tools like Cygwin http://www.cygwin.com.
Some chapters may require additional software—Chapter 8 in particular uses the separate Grendel-Scan, which relies on Java 1.6+—but it is less important than these fundamental pieces of software.
Book Conventions
To help you get the most from the text and keep track of what's happening, we've used a number of conventions throughout the book.
|
NOTE
Notes, tips, hints, tricks, and asides to the current discussion are offset and styled like this.
THIS IS A SIDEBARYou may occasionally see sidebars, which contain useful tips and asides to the main discussion. |
As for styles in the text:
We italicize new terms and important words when we introduce them.
We show keyboard strokes like this: Ctrl+A.
We show filenames, URLs, and code within the text like so: persistence.properties.
We present code in this manner:
We use a monofont type to indicate a code line or block.