The solution: use Drupal and secure it.
a) Drupal vs OWASP Top Ten
vulnerabilities and threats. CMS Security should be addressed.
A1 Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
SQL Injection: You shouldn't use data that you don't trust (as a feed, a user input, another database, etc) directly in a database query without escape it:
index.php?id=12 mysql_query("UPDATE mytable SET value = '". $value ."' WHERE id = ". $_GET['id']);
Instead you should use Drupal functions passing the user input as parameters:
db_query("UPDATE {mytable} SET value = :valueWHERE id = :id", array( ':value' => $value, ':id' => $id);
If you need to include dynamic table or column names in your query, you can use db_escape_table().
A2 Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
Apply the Drupal Solutions to common Auth and Session Issues:
|
Security Issue |
Drupal Solution |
|
Weak password storage and account management |
Passwords are stored hashed |
|
Session hijacking / fixation |
Session IDs changed when permissions change |
|
Lack of session timeout / logout |
Drupal works with Apache's SSL transport Modules to set certain URLs to use SSL |
Comments
Secure Web 2.0: Drupal vs
Secure Web 2.0: Drupal vs OWASP (part 1)