防弹您的Drupal网站

“When you steal money or goods, somebody will notice it’s gone. When you steal information, most of the time no one will notice because the information is still in their possession.” – Kevin Mitnick, The Art of Deception, 2003.
“当您窃取金钱或商品时，有人会注意到它已经消失了。 当您窃取信息时，大多数时候没有人会注意到，因为信息仍由他们掌握。” – 凯文·米特尼克 ( Kevin Mitnick) ，《欺骗的艺术》，2003年。

It’s a worst-case scenario: one fine morning you notice your site has been or is being attacked. Broken security, of course, and usernames, passwords, emails (all three at times) … in short, sensitive information gets revealed to allow an outsider log in to your bank accounts and do all sort of crummy things like making your site relay spam or turning it into a malware den that infects thousand other visiting computers.

这是最坏的情况：一个好的早晨，您会注意到您的网站已经或正在受到攻击。安全性受损，当然还有用户名，密码，电子邮件(有时全部三个)……简而言之，敏感信息会被泄露，以允许局外人登录到您的银行帐户，并进行各种卑鄙的事情，例如使您的站点中继垃圾邮件或将其变成可感染其他数千台访问计算机的恶意软件巢穴。

It is a fact that large numbers of websites lack secure configuration. For a site built with Drupal, logical/programmatic vulnerabilities in contributed (or, customized) modules can make it worse. The problem is that it is a very big task tracking down all the vulnerabilities attackers might use. The list is enormous … and growing.

事实是，大量网站缺乏安全配置。对于使用Drupal构建的站点，贡献(或定制)模块中的逻辑/程序漏洞会使情况变得更糟。问题在于，跟踪攻击者可能使用的所有漏洞是一项非常艰巨的任务。这个列表是巨大的……并且还在不断增长。

I’m going to help you cover the most essential, the most common and the most important vulnerabilities. These steps will help you protect your Drupal sites by reviewing and finding the weaknesses and addressing them. Later, we’ll also look at a few steps to put up some extra protection.

我将帮助您解决最基本，最常见和最重要的漏洞。这些步骤将通过查看并发现缺陷并加以解决，从而帮助您保护Drupal网站。稍后，我们还将研究一些步骤以提供一些额外的保护。

I should point out that I am assuming familiarity with Drupal basics. Explanations of terms used can be found in the Drupal documentation. This will allow me to focus on explaining the concepts involved.

我应该指出，我假设自己熟悉Drupal的基础知识。可以在Drupal文档中找到所用术语的说明。这将使我能够集中精力解释所涉及的概念。

Drupal漏洞 (Drupal vulnerabilities)

不安全的配置 (Insecure configurations)

Drupal core is very secure by default, but vulnerabilities can open unknowingly if the configuration is wrong. There are possibly as many best practices as there are users, but certain settings are common in a secured Drupal environment.

默认情况下，Drupal核心是非常安全的，但是如果配置错误，漏洞可能会在不知不觉中打开。 最佳实践可能与用户一样多，但是某些设置在受保护的Drupal环境中很常见。

Start by limiting the access and rights of anonymous users, including account creation. This will stop spammers and Google link-jackers. Some spammers target creating accounts, while the others posts links to their own sites from yours for a better search engine ranking.

首先限制匿名用户的访问和权限，包括创建帐户。这将阻止垃圾邮件发送者和Google 链接劫持者 。一些垃圾邮件发送者以创建帐户为目标，而其他垃圾邮件发送者则从您的站点发布指向自己网站的链接，以提高搜索引擎排名。

Anonymous users create bogus accounts with automated programs (bots) and in a Drupal setting attackers can create accounts freely, since Drupal discriminates only between authenticated and unauthenticated users. An unauthenticated (or, anonymous) user creating an account effectively obtains privileges.

匿名用户使用自动化程序(机器人)创建虚假帐户，并且在Drupal设置中，攻击者可以自由创建帐户，因为Drupal仅区分经过身份 验证的用户和未经身份 验证的用户。未经身份验证(或匿名)的用户创建帐户可以有效地获得特权。

Next, disallow any content from being posted anonymously. Stopgaps will keep bots from finding your site, which means no flooding with spam content. Creating content or uploading thus must get some check or verification.

接下来，禁止任何内容被匿名发布。 Stopgaps将使僵尸程序无法找到您的网站，这意味着不会出现垃圾内容泛滥的情况。因此，创建内容或上传内容必须经过一定的检查或验证。

Put a limit to uploads, and also on the file types. It is possible with Drupal to set file types to be allowed, so no uploading PHP code. They might execute on the server or could be executable malware, harmfully dynamic content etc. Disallowing the upload of scripts and executables secures a site greatly.

限制上传，还限制文件类型。 Drupal可以设置允许的文件类型，因此无需上传PHP代码。它们可能在服务器上执行，或者可能是可执行的恶意软件，有害的动态内容等。禁止上载脚本和可执行文件可以极大地保护站点的安全。

Error reporting must be curbed. Drupal code results in errors sometimes and, by default, Drupal logs it in its internal error log. The same also gets displayed on the screen, but this is required only in a development environment. What’s of use to programmers is completely useless to end users. Moreover, the debugging messages contain critical configuration info that attackers may make good use of. This is information disclosure vulnerability.

错误报告必须得到遏制。 Drupal代码有时会导致错误，默认情况下，Drupal将其记录在内部错误日志中。屏幕上也会显示相同的内容，但这仅在开发环境中才需要。程序员使用的东西对最终用户完全没有用。此外，调试消息还包含攻击者可能会充分利用的关键配置信息。这是信息泄露漏洞 。

跨站脚本 (Cross Site Scripting)

XSS codes execute inside the browser. The code can be JavaScript, Flash or something similar. XSS uses your session cookies to gain access to everything you have. Visiting a page with a malicious XSS code running may result in new content posting, unknowingly befriending other sites’ users, casting votes and – most annoyingly – changing your own administrative rights!

XSS代码在浏览器中执行。该代码可以是JavaScript，Flash或类似的代码。 XSS使用您的会话cookie来访问您拥有的所有内容。访问运行有恶意XSS代码的页面可能会导致发布新内容，在不知不觉中与其他站点的用户成为朋友，投票以及–最令人讨厌的是–更改您自己的管理权限！

Identifying XSS mostly involves identifying JavaScript vulnerabilities. However, others are not to be ignored. The trick that does it is using a JavaScript alert box. It’s hard to miss when it pops up, especially when the alarm is particular and specific to the place where code is injected. This is helpful for trace-backs.

识别XSS主要涉及识别JavaScript漏洞。但是，其他不容忽视。这样做的技巧是使用JavaScript警报框 。弹出时很难错过，特别是当警报是特定的并且特定于代码注入的地方时。这对回溯很有帮助。

You can do it with these two strings, posted into information and then browsing around your site. The "> helps finding if the code has an HTML attribute. This will pop-up a JavaScript box with a message coming from the title field of a blog node. Go to the page’s HTML, find where the JavaScript leaked through and back trace to the code to add a suitable filter function.

您可以使用发布在信息中的这两个字符串来做到这一点，然后在您的站点中浏览。 ">有助于查找代码是否具有HTML属性。这将弹出一个JavaScript框，其中包含来自博客节点标题字段的消息。转到页面HTML，查找JavaScript泄漏的位置并追溯到添加合适的过滤器功能的代码。

"><script>alert('blog-node-title');</script>

"><img src="u.png" onerror="alert('blog-node-title');"</script>

Drupal also allows configuration changes to fight XSS. To do that, you must not use the PHP input type. Drupal has three default formats (full HTML, filtered HTML and PHP) that users utilize when filling up web forms. Filtered HTML is by far the safest and should be used whenever possible to strip out malicious HTML codes (for example, JavaScript).

Drupal还允许更改配置以对抗XSS。为此，您不得使用PHP输入类型。 Drupal具有三种默认格式(完整HTML，已过滤HTML和PHP)，用户可以在填写Web表单时使用它们。到目前为止，过滤HTML是最安全的，应在可能的情况下使用它来去除恶意HTML代码(例如JavaScript)。

This will ensure safety against XSS (cross-site scripting) and also against CSRF (cross-site request forgery) attacks. While PHP input-type allows users write PHP directly into the existing content and allow the server to evaluate, it also lures attackers. In case there’s a need, enable permissions till it’s crafted. In short, it must stay disabled when not in use.

这将确保抵御XSS( 跨站点脚本 )和CSRF( 跨站点请求伪造 )攻击的安全性。虽然PHP输入类型允许用户将PHP直接写入现有内容并允许服务器进行评估，但它也吸引了攻击者。如果有需要，请启用权限，直到精心制作为止。简而言之，它在不使用时必须保持禁用状态。

跨站请求伪造 (Cross Site Request Forgeries)

The Drupal Form API puts up protection against CSRF. It uses special tokens (in the forms) that are updated constantly. With a module using the Form API for all data-modifying requests and the Form API documentation properly followed, there’s little chance for CSRF to create trouble. For good code, see the Forms API documentation. Menu callbacks, vulnerable to CSRF, are easily dealt with by adding confirm_form() (a confirmation form) to each. Drupal does the rest.

Drupal Form API提供了针对CSRF的保护。它使用不断更新的特殊标记(在表单中)。有了一个使用Form API来处理所有数据修改请求的模块，并且正确遵循了Form API文档 ，CSRF几乎没有机会制造麻烦。有关良好的代码，请参见Forms API文档 。菜单回调容易受到CSRF的影响，可以通过在每个回调中添加confirm_form() (确认表单)来轻松处理。 Drupal负责其余的工作。

Apart from disabling PHP input-type, you may use this trick and directly leverage token generation in Drupal. It involves adding a token; the added token will be returned with a request for the following action and validated before the action is taken. The token is added to the security_review_reviewed function links and then checked in security_review_toggle_check .

除了禁用PHP输入类型之外，您还可以使用此技巧并直接利用Drupal中的令牌生成。它涉及添加令牌；添加的令牌将返回以下操作的请求，并在执行该操作之前经过验证。令牌已添加到security_review_reviewed函数链接中，然后在security_review_toggle_check检入。

A token is a special parameter added to a request. It tells Drupal that it generated a link for a specific user viewing the site. Tokens are added by Drupal to every form it generates and offers invisible protection to the developers.

令牌是添加到请求中的特殊参数。它告诉Drupal，它为查看该网站的特定用户生成了一个链接。令牌由Drupal添加到它生成的每种表单中，并为开发人员提供隐形保护。

$token = drupal_get_token($check['reviewcheck']);
$link_options = array(
'query' => array('token' => $token),
'attributes' => array('class' => 'sec-rev-dyn'),
);

if (!drupal_valid_token($_GET['token'], $check_name)) {
return drupal_access_denied();
}

However, to deal with CSRF in Drupal contributed modules (for example, a link like <img src="http:// website-name/yourmodule/shoes/123/delete" alt="naked girls pic" />), form confirmations along with form tokens are of paramount importance. These ask Are you sure you want to delete this item? for Drupal core and modules.

但是，要在Drupal贡献模块中处理CSRF(例如，类似<img src="http:// website-name/yourmodule/shoes/123/delete" alt="naked girls pic" /> )， 表单确认以及表单令牌至关重要。这些询问您确定要删除此项目吗？ 用于Drupal核心和模块。

So, the bottom line is it is smart to use token protection when generating links and forms manually.

因此，最重要的是在手动生成链接和表单时使用令牌保护是明智的。

SQL注入和数据库API (SQL Injection and the database API)

Less trustworthy data in a database query (for example, feeds, user inputs, some other database etc.) must not be used directly. You stand a chance of being baked if you use something like this:

不得直接使用数据库查询中可信度较低的数据(例如，提要，用户输入，某些其他数据库等)。如果使用以下方法，则有可能被烘烤：

index.php?id=12mysql_query("UPDATE mytable SET value = '". $value ."' WHERE id = ". $_GET['id']);

Or, say, when you combine two strings of data to form a single one (concatenating) that goes in directly into the SQL queries. For example,

或者说，当您将两个数据字符串组合成一个单独的(连接)数据时，这些数据直接进入SQL查询。例如，

<?php
db_query('SELECT FROM {table} t WHERE t.name = '. $_GET['user']);
?>

To counter SQL injection, use Drupal functions and pass the user input treating them as parameters. It goes like this:

为了应对SQL注入，请使用Drupal函数并传递将其视为参数的用户输入。它是这样的：

db_query("UPDATE {mytable} SET value = :valueWHERE id = :id", array( ':value' => $value, ':id' => $id);

Also, using the database abstraction layer helps to ward-off the attacks; besides, with db_query it uses proper argument substitution.

另外，使用数据库抽象层有助于抵御攻击。此外，对于db_query它使用适当的参数替换。

<?php
db_query("SELECT foo FROM {table} t WHERE t.name = '%s' ", $_GET['user']);
?>

To accommodate arguments in variable numbers in SQL, creating a placeholders array helps. So, instead of:

为了在SQL中以可变数字容纳参数，创建占位符数组会有所帮助。因此，代替：

<?php
db_query("SELECT t.s FROM {table} t WHERE t.field IN (%s)", $from_user);
?>

It’s better to put:

最好放：

<?php
$placeholders = implode(',', array_fill(0, count($from_user), "%d"));
db_query("SELECT t.s FROM {table} t WHERE t.field IN ($placeholders)", $from_user);
?>

Using db_rewrite_sql() function calls with SQL statements referring to nodes (or {node}table) will stop violation of node access restrictions. It is an absolute requirement for the mechanism that makes Drupal accesses its nodes; any violation and it is outsiders gaining access to forbidden nodes. It’s done this way:

将db_rewrite_sql()函数调用与引用节点(或{node}table )SQL语句一起使用将停止违反节点访问限制 。这是使Drupal访问其节点的机制的绝对要求。任何违反行为，都是外来者访问禁止的节点。这样做是这样的：

<?php
$result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));
?>

摘要 (Summary)

This was sort of a crash-course on the many kinds of vulnerabilities that drive Drupal users mad, but anyone who has been into these rough waters will know that we have covered the three most important issues, namely – XSS, CSRF and SQL injection, out of which the first two can be easily dealt with if the recommendations on Drupal configuration are properly followed.

这是各种导致Drupal用户疯狂的漏洞的速成课程，但是任何陷入困境的人都知道我们已经涵盖了三个最重要的问题，即XSS，CSRF和SQL注入，如果正确遵循有关Drupal配置的建议，则可以轻松处理其中的前两个。

Let me know in the comments about your experiences with Drupal security, and whether you’d like to see more on the topic from me.

在评论中让我知道有关您使用Drupal安全的经验，以及是否希望从我这里了解更多有关该主题的信息。