You are previewing Cracking Drupal®: A Drop in the Bucket.
O'Reilly logo
Cracking Drupal®: A Drop in the Bucket

Book Description

The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security.

Table of Contents

  1. Copyright
  2. Dedication
  3. About the Author
  4. Credits
  5. Acknowledgments
  6. Introduction
  7. Anatomy of Vulnerabilities
    1. That Horrible Sinking Feeling
      1. Avoiding That Sinking Feeling
      2. Common Ways Drupal Gets Cracked
      3. The Big Scary World
      4. The Most Common Vulnerabilities
      5. Summary
    2. Security Principles and Vulnerabilities outside Drupal
      1. Server and Network Vulnerabilities
      2. Social and Physical Vulnerabilities
      3. Summary
  8. Protecting against Vulnerabilities
    1. Protecting Your Site with Configuration
      1. Stay Current with Code Updates
      2. Know Your Attack Surface
      3. Using Extra Security Modules
      4. Smart Configuration of Core
      5. Summary
    2. Drupal's User and Permissions System
      1. Using the API
      2. What Are Hooks, Form Handlers, and Overrides?
      3. Defining Permissions: hook_perm
      4. Checking Permission: user_access and Friends
      5. Common Mistakes with Users and Permissions
      6. Summary
    3. Dangerous Input, Cleaning Output
      1. Database Sanitizing: db_query and Friends
      2. Translation and Sanitizing: t
      3. Improper Use of t
      4. Linking to Content: l and url
      5. The Form API
      6. Filtering Content: check_plain, check_markup, filter_xss_admin
      7. Summary
    4. Safety in the Theme
      1. Quick Introduction to Theming in Drupal
      2. Common Mistakes
      3. Summary
    5. The Drupal Access System
      1. Respecting the Access System
      2. Summary
    6. Automated Security Testing
      1. Test Drupal with Drupal: Coder Module
      2. Testing Drupal with Grendel-Scan
      3. Summary
  9. Weaknesses in the Wild
    1. Finding, Exploiting, and Avoiding Vulnerabilities
      1. Strategies to Crack Drupal
      2. Searching Core and Contrib for Vulnerabilities
      3. How to Report Vulnerabilities
      4. Summary
    2. Un-Cracking Drupal
      1. Step 1: Secure the Menu
      2. Step 2: Secure the User Search
      3. Step 3: Secure the Node List
      4. Step 4: Disable Users Safely
      5. Drupal Un-cracked
  10. Appendixes
    1. Function Reference
      1. Text-Filtering Functions
      2. Link and URL Building Functions
      3. Users and Permissions
      4. Database Interaction
    2. Installing and Using Drupal 6 Fresh out of the Box
      1. Step 1: Installing Drupal—Easier Than Ever Before
      2. Step 2: Designing and Building the Architecture
      3. Step 3: Creating the Business Objects
      4. Step 4: Creating the Workflows
      5. Summary
    3. Leveraging Community Resources
      1. Resources from the Drupal Security Team
      2. General Security Resources
      3. Summary
  11. Glossary
    1. Drupal-Specific Jargon
    2. Development Terms