Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By rjl on
I have been asked if Drupal meets PCI and OWASP security standards. After reading them in some detail, my answer would be yes for the most part. One issue was specifically raised: storing the database connection string in plain text.
OWASP says the following on its site: http://www.owasp.org/index.php/Configuration#Secure_connection_strings
Secure connection strings
Connection strings to the database are rarely encrypted. However, they allow a remote attacker who has shell access to perform direct operations against the database or back end systems, thus providing a leap point for total compromise.
How to identify if you are vulnerable
- Check your framework’s configuration file, registry settings, and any application based configuration file (usually config.php, etc) for clear text connection strings to the database.
How to protect yourself
- Sometimes, no password is just as good as a clear text password.
- On the Win32 platform, use “TrustedConnection=yes”, and create the DSN with a stored credential. The credential is stored as an LSA Secret, which is not perfect, but is better than clear text passwords.
- Develop a method to obfuscate the password in some form, such as “encrypting” the name using the hostname or similar within code in a non-obvious way.
- Ask the database developer to provide a library which allows remote connections using a password hash instead of a clear text credential.
Does anyone have thoughts on the easiest way to meet this standard in Drupal?
Thanks
Comments
bump
bump
best practices in security
There's a group for discussing best practices in security: http://groups.drupal.org/best-practices-drupal-security
I brought up an unrelated issue about PCI there earlier remove phpinfo() for pci compliance which got some decent discussion.
I'm not sure that PCI requires the ideas you express above. They mostly seem to me like "security through obscurity" which, of course, is not actually security :(
The idea of encrypting the values means that they have to be decryptable without using the database and by the webserver, so the keys to encrypt/decrypt would be readable by anyone who can get access to the settings.php.
Sometimes the best security is "put all your eggs in one basket and watch that basket really really well."
--
Morris Animal Foundation
Thanks for the reply and the
Thanks for the reply and the link to groups.drupal. I agree with you when you say "not sure" as the PCI requirements are a little vague in this area and there is not a recommendation specifically related to this issue. The question was raised internally by management and I just wanted to be able to follow-up with some good information.
Thanks again for the great response.