By kzeeh on

Hi there-

We are using Drupal to create an intranet site.  We have modified some CSS but haven't had the need to modify any PHP code or any code.  We are currently undergoing Vulnerability testing and wonder what issues may be found and how we address them.  Any issues should be reported to the Drupal Security Team, correct?  I am trying to anticipate our responses to any vulnerability issues that might be brought up.  I don't believe it is "our" responsibility in the sense that we don't need to be a PHP developer and create patches ourselves for any errors found.  Am I correct in how this process works?  We are (obv) Drupal newbies and it is new to our QA team as well, so I would like to know if testing should be handled in the same way as other "applications", such as .Net or Java?  Thanks so much.

Kelly

Categories: Drupal 7.x

Comments

dblais’s picture

dblais commented

Here how to report a vulnerability:
https://www.drupal.org/node/101494

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Hi Kelly,

The fact you haven't modified any PHP makes it more likely that there will not be any vulnerabilities found in your site. Especially if you use commonly used and popular well-maintained modules it is likely that any security vulnerabilities have been found when other people have done security audits. There are 3 major groups of vulnerabilities that might be found in any security audit of a Drupal site:

  • Vulnerabilities that have not yet been found by anyone else. For these, please do report them following Drupal's process for coordinated disclosure of security issues. The security team will then work with the module maintainer to create a patch. In the unlikely event the maintainer chooses not to create a patch then there is a chance you will need to either write a patch or find a consultant to help you write a patch.
  • Vulnerabilities that were introduced by configuration changes. For example, if you allow anonymous users to register and then accidentally grant an advanced permission like "administer users" to the "authenticated user" role then that has created a vulnerability in the site even though no php code was written or modified.
  • Weaknesses from the perspective of the auditor which may be outside of Drupal or which Drupal generally considers to be not a vulnerability.
    For example, security auditors will often point out that Drupal core alone will dislose usernames which is documented as an acceptable practice. Or your auditor may require the site to use SSL, which is something Drupal supports but is implemented at the webserver level.

Good luck with the audit! I hope you'll follow-up and report any vulnerabilities that need to be reported or just let us know how the audit goes in general.

--
Morris Animal Foundation

kzeeh’s picture

kzeeh commented

Thanks so much for the reassurance.  Now we have the report.  This is the OVERVIEW (i.e. headlines) and it drills down into details for each of these items.  The thing is how to address each of these.  As I said, we are new at Drupal and not doing anything tricky with it.  I don't know if this is enough information for anyone to give advice, but these are the errors showing up:

Issues Sorted by Issue Type
SQL Injection 1
Cross-Site Request Forgery 2
Missing Secure Attribute in Encrypted Session (SSL) Cookie 1
Alternate Version of File Detected 2
Autocomplete HTML Attribute Not Disabled for Password Field 23
Body Parameters Accepted in Query 2
Cacheable SSL Page Found 51
Check for SRI (Subresource Integrity) support 25
Database Error Pattern Found 15
Direct Access to Administration Pages 9
Hidden Directory Detected 1
Missing "Content-Security-Policy" header 5
Missing "X-Content-Type-Options" header 5
Missing "X-XSS-Protection" header 5
Missing HTTP Strict-Transport-Security Header 5
Oracle Log File Information Disclosure 1
Potential Order Information Found 3
Query Parameter in SSL Request 43
Robots.txt File Web Site Structure Exposure 1
3/15/2018 1
Temporary File Download 2
Application Error 57
Application Test Script Detected 17
Browser Exploit Against SSL/TLS (a.k.a. BEAST) 1
Client-Side (JavaScript) Cookie References 2
Email Address Pattern Found 4
Integer Overflow 19
Link to unclassified site 1
SHA-1 cipher suites were detected 1