3.4. Smart Configuration of Core
One of the fastest and easiest ways to make your site insecure is through improper configuration of two specific areas: user permissions and input formats.
3.4.1. User Permissions
As discussed in Chapter 1, user permissions govern the authorization of a role, and roles govern the authorization of users within the role. The page has been compared to a vast sea of check boxes, and with a single errant click, you can create a gaping security hole in your site. Figure 3-7 shows the top of the sea of check boxes.
The two biggest problems with this page are that it is easy for an administrator to accidentally click a check box for an unintended role and that it is often difficult to tell whether it is safe to grant a permission to a role. The best advice to prevent mistakes on this page is to be patient when granting roles and confirm each change you make.
One handy trick is to edit permissions from the path http://example.com/admin/user/permissions/1, which is accessible via http://example.com/admin/user/roles and clicking the links for Edit Permissions. From this role-specific page it is much more difficult to accidentally grant a permission to the wrong role. If you are unsure about what a specific permission, such as "administer books," does, you can search through the code for "administer books," which you will find in all sections of code governed by that permission.
3.4.2. Input Formats and Filters
One of Drupal's great features is the input formats, which allow various roles to input different kinds of HTML content. One of the main purposes is ensuring that users with basic roles are limited to certain HTML tags and that they can't abuse those tags to execute XSS. You may want to limit anonymous users to style tags like <strong>, <em>, and <blockquote> but reserve more important and specific tags like <h2> and <embed> for advanced roles. The filter system goes beyond simple HTML tag filtering and can be used for additional purposes, such as transforming pseudo markup into real code the way the Inline module replaces [inline:filename.jpg] with <img src="files/filename.jpg">. Here are three easy steps to the safe use of the input system.
Figure 3.7. The many check boxes of Drupal's Permissions page
3.4.2.1. Step 1: Limit the Allowed Tags
By default, Drupal core provides two input formats: Filtered HTML and Full HTML. The default Filtered HTML configuration allows users to enter certain tags with known parameters that are difficult to exploit for XSS or CSRF. If you add in new tags, then it's possible that they will introduce vulnerabilities to your site. In particular, the following tags may enable users to attack your site.
|
3.4.2.2. Step 2: Limit Permissions
When you edit an input format, one of the options you get is the ability to change which roles can use the filter. Granting the use of advanced filters to low-privilege users can give them the ability to exploit your site. You should ensure that filters for Anonymous, Authenticated, and other low-level roles are limited to safe tags.
3.4.2.3. Step 3: Remove the PHP Filter
The input format system allows any user to run arbitrary PHP code, which is a feature but also quite dangerous since it potentially allows an attacker to use the full PHP capabilities to do whatever he wants. Even if you don't allow low-privilege roles to use the PHP filter, the existence of the filter on your site is a potential weakness. If an attacker gains access to the password or session of a user who can configure the input formats, then the attacker is able to configure the site in a manner that enables him to execute PHP.
In Drupal 5.x, the PHP filter was part of the core filter module, and to get some protection and remove it from the site you had to use the Paranoia module. In Drupal 6.x you can simply disable the PHP filter module and remove the code from the modules/ directory.
A quick way to evaluate the configuration of input formats is to simply log out of the site and then try posting content or a comment and looking at the input formats available to you. Figure 3-8 shows the formats available to an admin on a typical site.
Figure 3.8. The input format selector
If any of the filters on your site allow anonymous or untrusted authenticated roles to add any of the tags listed in step 1, then you have a problem. If a format available for low-privilege users does not say "Allowed HTML tags," then it is not filtering tags and your site is at risk.