1 SQL Injection
index.php?id=12
mysql_query("UPDATE mytable SET value = '". $value ."' WHERE id = ". $_GET['id']); 推荐: db_query("UPDATE {mytable} SET value = :value WHERE id = :id", array(':value' => $value, ':id' => $id);
就是等号也有可能有问题,还有db_like, db_escape_table 函数.
2. Cross Site Scripting (XSS)
文章的标题也可能是<script>alert('abc');</script>比较危险
输出一般可以加上check_plain() -->
<h1 id="page-title" class="title"> <script>alert('abc');</script> </h1>
'<script>alert('abc');</script>' 原封不动的保存在数据表node和field_data_comment里
JS code to a page是不允许到页面中的。
页面中含有JS代码
- Use placeholders in functions like t() or format_plural(): %name, @url, !insecure:
t('%name has a blog at <a href=" @url " _fcksavedurl=" @url " _fcksavedurl=" @url " _fcksavedurl=" @url "> @url </a>', array('@url' => valid_url($user->profile_blog), '%name' => $user->name));
- Use Drupal.t() , Drupal.formatPlural() in JavaScript
3. Authentications and sessions
Drupal has good solutions for that, so don't need to worry too much about these:
当权限改变的时候SESSION_id也会变动的
4. Insecure direct object references
index.php?id=12
db_query("SELECT * FROM {node} WHERE nid = :id", array(':id' => $_GET['id'] )); $select->addtag('node_access');这种就是不对的,最好是加些TAG
One common issue is forget to add "published = Yes" to the view filters. 别忘了
有权限设置的地方都尽量设置考虑一下权限
5. Cross Site Request Forgery (CSRF)
这个就是说从别的站点放进来一个段代码,里面包含一个URL,如果用户加载含有这个URL的页面或者点击某个连接,则会被伪造了一个请求,但这个请求会发生意向不到的结果。
6: Security misconfiguration
服务器和系统软件的安全隐患
security_review模块
网站用户权限设置 特别是administer *** 之类的权限 要谨慎
Update 这个模块其实很有用的 可以不时查看是否有安全级别的软件更新
7. Insecure cryptographic storage
还可以人为的去增加密码的难度
8. Failure to restrict URL access
Drupal approach:
- Menu system uses access callback and access arguments
- Continually review permissions
- 如果忘了写 那就是大家都有权限 这样是比较危险的
9. Insufficient transport protection
尽量使用SSL
10. Unvalidated redirects
Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
当说要跳转到某个地方,这是要注意安全性
http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks