Category Archives: Security Advisories

Drupal Security

Drupal Security: Some Useful and Practical Ideas

Drupal is renowned to be a secure and robust Content Management System. In fact, a good number of Drupal users prefer it only because of its security features and reliability. Drupal security has long been a famous concept in web development.

However, that does not mean Drupal is entirely immune to security threats. With the ever-increasing number of security issues that keep coming up, Drupal security too needs to be taken into account. Hardening your Drupal website is always a good idea.

So, where do you get started with Drupal security? Are there any steps that you can take to harden and secure your Drupal website? This article will provide the answers.

Prelude

First, we need to understand Drupal security threats properly in order to tackle them. What type of Drupal security issues exist, in general?

As many as 41.5% of total security threats faced by Drupal sites tend to be XSS vulnerabilities, also known as cross-site scripting. Naturally, this means you need to focus more on keeping your modules up to date as well as to prevent malicious code injections on your site data.

Thankfully, Drupal Security is a burning topic in itself. The team takes Drupal security very seriously. This infographic provides a brief idea of how security issues are assessed and tackled by the Drupal core team (source):

Drupal Security

You can follow the Drupal Security channel officially for any security threats, advisories as well as updates. Alternatively, you can also get alerted of the same on Twitter:

This way, you will stay updated about Drupal security issues. Got a module that has been compromised? With the right information at the right time, you can prevent it from damaging your website!

Basic Steps

Drupal is only as strong as you make. Here are a few basic steps that you can take to further enhance Drupal security.

  • Always use strong passwords for your administrator account. A complex password can ensure that brute force attacks do not happen on your Drupal site. More importantly, avoid using the default admin username and come up with something that is hard to guess.
  • Make sure you keep your Drupal installation as well as any modules or templates that you use updated to the latest version.
  • It is vital that you use Drupal themes or modules only from reputed sources. For free ones, stick only to the official repository and nowhere else. For premium modules or themes, consider reputed shops and marketplaces.
  • Take regular backups of your website data. This way, if something ever goes wrong, you will be able to resume without losing your content.
  • For connecting to your site, SFTP should always be preferred over FTP, whenever possible. Also, if you have not done so already, try using a CDN that can filter out bad bots, such as CloudFlare.

Database Security

Your Drupal database is a crucial component of your website. Naturally, you must pay special attention to its security.

When installing Drupal, make sure you change your database prefix as well as the table prefix to something other than the default values. If you are installing it via Softaculous, you can easily do it during the installation process itself.

Drupal Security Modules

Pretty much like every stable Content Management System out there, Drupal too comes with its own set of security modules that you can make use of to harden and secure your website.

  • The first Drupal security module that you should install is Security Review. This module analyzes your website and provides a summary of the security issues that you need to fix. Got files that are writable remotely? An outdated theme? Some code files that should not be there? User permissions that can pose a threat? This module will tell you everything you need to know.
  • Secondly, if you need to prevent brute force attacks, the Two-Factor Authentication module can be of use. It can be used to setup two-factor authentication on your Drupal website within minutes.
  • Hacked! is another useful Drupal security module that can compare your core as well as theme and module files against repository versions. This way, if a given file has been changed, it can alert you of the same. If you do not remember making the said change, most likely it is the result of malicious activity.
  • Similarly, Coder can check your Drupal theme and module files for coding standards and security conventions. However, beyond security, it can also assess the coding practices being used in the said modules or themes and is more of a developer’s toolkit.
  • If you are worried about user permissions, Content Access can be used to define permissions and access rules for various user account types. It can help you improve the security of your website by ensuring that user accounts do not have excess privileges on your site’s data.
  • Login Security is a Drupal security module that can be used to limit the number of login attempts. This particular module can also be used to block malicious bots on the basis of IP addresses.

Conclusion

So there you have it. Some easy to implement and very effective security measures for hardening your Drupal website. By following a judicious combination of login security steps, software updates, database security measures as well as making use of helpful modules, you can ensure that your Drupal website remains secure and safe from evil users and bots alike.

Got a Drupal security tip of your own? Share it with the world in the comments below!

ClientExec – Content Disclosure Vulnerability

Our friends at Rack911 & HostingSecList have released the following advisory for ClientExec.

ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.
Vulnerability Description:

A malicious user can obtain the product details (name / domain) belonging to any other user when they submit a ticket by carefully crafting the request.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that other users information can be obtained.
Vulnerable Version:

This vulnerability was tested against ClientExec v4.6.8.
Fixed Version:

This vulnerability was patched in ClientExec v4.6.9. We thank ClientExec for their commitment to security by providing prompt updates!

 

If you are a VeeroTech Systems reseller & currently utilize ClientExec, please log into the account management portal and download the latest release found under Support > Downloads.

WHMCS Cookie Exploit

From the WHMCS Blog: http://blog.whmcs.com/?t=81138

 

We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.

We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.

In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this – although please note this will also prevent admin list ordering from working fully in certain places.

Cookie Override Hook – http://go.whmcs.com/262/cookie_override_hook

 

 

If you currently have WHMCS, we recommend that you follow the instructions for this patch. You’ll need to upload the file to your /includes/hooks folder as mentioned above & in the post made by WHMCS.