A9 Using Component with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
In Drupal, the additional components are the modules that must pass through “Module Approval Process” in order to be published under Drupal community umbrella. However, there are external security checks performed in academic places.
Drupal Approved Modules: employ only modules previously checked against security. Many U.S. Universities have has established a special staff, that periodically check Drupal modules:
· University of Pennsylvania, SAS (“School of Arts and Sciences”), (see https://www.sas.upenn.edu/computing/drupal-approved-modules )
· University of Texas at Austin (see https://sites.utexas.edu/cofawebteam/about-us/wordpress-drupal/contracting-for-drupal/approved-modules/ )
·
A10 Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Custom redirect systems can be also unsafe: http://example.com/index.php?target=evil.com
Drupal approach:
· Drupal has various internal redirections, which use local paths and generate URLs based on them:
· Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance