drupal security
DESCRIPTION
My second presentation at DrupalCamp Sofia 2011 about securing Drupal sites.TRANSCRIPT
- 1. Drupal Security DrupalCamp Bulgaria 2011
2. ! , . . 3.
- Drupal APIs secure
4. , , . 5. APIs , , 6. !
- Overview: http://drupalsecurityreport.org
7. http://drupal.org/writing-secure-code 8. http://drupal.org/security/secure-configuration 9. Cracking Drupal http://crackingdrupal.com/ 10. http://heine.familiedeelstra.com/ 11. http://drupal.org/project/security_review 12. http://drupal.org/project/coder 13. 14. 15. !
- , update (Update Status 5)
16. drupal.org Security Advisory emails. 17. (VCS drush) 18. 19. insecure tools
- : FTP, Telnet, HTTP
20. Total Commander, FileZilla? 21. : SSH, sFTP, FTPS, HTTPS 22. - security fix- PHP, Apache, mySQL, etc? 23. !
- ?
24. ? 25. ? 26. , 27.
28. 29. Database (SQL) 30. 31. Shell
- http://acko.net/blog/safe-string-theory-for-the-web
32. 33. 34. Demo If you can do it, XSS can do it better! 35. 36. Cross Site Request Forgery
37. img . 38. JS . 39. $_GET, $_POST 40. Form tokens URL tokens . 41.
- http://drupal.org/security/contrib
42. http://drupal.org/securityteam/risklevels 43.
- (Arbitrary code execution)
44. , PHP include- PHP 45. , : PHP input format 46. http://xkcd.com/327/ 47. SQL Injection
- SQL query-,
48. 49. , - , hashed passwords, etc. 50. Access Bypass
- authentication bypass
51. , , , 52. Authentication bypass 53. 54. ? http://mmartinov.com