Hi there-
We are using Drupal to create an intranet site. We have modified some CSS but haven't had the need to modify any PHP code or any code. We are currently undergoing Vulnerability testing and wonder what issues may be found and how we address them. Any issues should be reported to the Drupal Security Team, correct? I am trying to anticipate our responses to any vulnerability issues that might be brought up. I don't believe it is "our" responsibility in the sense that we don't need to be a PHP developer and create patches ourselves for any errors found. Am I correct in how this process works? We are (obv) Drupal newbies and it is new to our QA team as well, so I would like to know if testing should be handled in the same way as other "applications", such as .Net or Java? Thanks so much.
Kelly
Comments
How to report a vulnerability
Here how to report a vulnerability:
https://www.drupal.org/node/101494
Hi Kelly,
Hi Kelly,
The fact you haven't modified any PHP makes it more likely that there will not be any vulnerabilities found in your site. Especially if you use commonly used and popular well-maintained modules it is likely that any security vulnerabilities have been found when other people have done security audits. There are 3 major groups of vulnerabilities that might be found in any security audit of a Drupal site:
For example, security auditors will often point out that Drupal core alone will dislose usernames which is documented as an acceptable practice. Or your auditor may require the site to use SSL, which is something Drupal supports but is implemented at the webserver level.
Good luck with the audit! I hope you'll follow-up and report any vulnerabilities that need to be reported or just let us know how the audit goes in general.
--
Morris Animal Foundation
Results Overview
Thanks so much for the reassurance. Now we have the report. This is the OVERVIEW (i.e. headlines) and it drills down into details for each of these items. The thing is how to address each of these. As I said, we are new at Drupal and not doing anything tricky with it. I don't know if this is enough information for anyone to give advice, but these are the errors showing up:
Issues Sorted by Issue Type
SQL Injection 1
Cross-Site Request Forgery 2
Missing Secure Attribute in Encrypted Session (SSL) Cookie 1
Alternate Version of File Detected 2
Autocomplete HTML Attribute Not Disabled for Password Field 23
Body Parameters Accepted in Query 2
Cacheable SSL Page Found 51
Check for SRI (Subresource Integrity) support 25
Database Error Pattern Found 15
Direct Access to Administration Pages 9
Hidden Directory Detected 1
Missing "Content-Security-Policy" header 5
Missing "X-Content-Type-Options" header 5
Missing "X-XSS-Protection" header 5
Missing HTTP Strict-Transport-Security Header 5
Oracle Log File Information Disclosure 1
Potential Order Information Found 3
Query Parameter in SSL Request 43
Robots.txt File Web Site Structure Exposure 1
3/15/2018 1
Temporary File Download 2
Application Error 57
Application Test Script Detected 17
Browser Exploit Against SSL/TLS (a.k.a. BEAST) 1
Client-Side (JavaScript) Cookie References 2
Email Address Pattern Found 4
Integer Overflow 19
Link to unclassified site 1
SHA-1 cipher suites were detected 1