Sunday, April 15, 2007

Hardening Drupal/Common PHP Apps?!

So I'm getting ready to deploy a website for our church (most likely with Drupal) and while I'm excited building a site, I'm not thrilled about putting a large, commonly deployed PHP app out there. Kudos to WordPress although really only one paragraph is useful. The rest is the normal blah blah database blah blah firewall blah blah file permissions blah blah.

Sure there is the hardened php project but that doesn't help me much. Does it? If there isn't an Ubuntu (Dapper) package I'm certainly not going to use it. Maybe the fact that here is a php-suhosin patch for Debian 4.0 might be one reason to run Debian but that wasn't an option (yet) with my VPS provider.

Yeah there is the howto but I repeat, I'm not going to any crap that looks like this:

erver1:/usr/src/php5-5.2.0# dpkg-buildpackage
dpkg-buildpackage: source package is php5
dpkg-buildpackage: source version is 5.2.0-8+etch1
dpkg-buildpackage: source changed by sean finney
dpkg-buildpackage: host architecture i386
dpkg-buildpackage: source version without epoch 5.2.0-8+etch1
dpkg-checkbuilddeps: Unmet build dependencies: apache-dev (>= 1.3.23) apache2-prefork-dev (>= 2.0.53-3) bison chrpath debhelper (>= 3) firebird2-dev flex (>= 2.5.4) freetds-dev libapr1-dev (>= 1.2.7-8) libbz2-dev (>= 1.0.0) libc-client-dev libcurl3-openssl-dev | libcurl3-dev libdb4.4-dev libexpat1-dev (>= 1.95.2-2.1) libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev (>= 2.0.28-3) libjpeg62-dev libkrb5-dev libldap2-dev libmcrypt-dev libmhash-dev (>= 0.8.8) libmysqlclient15-dev | libmysqlclient12-dev libncurses5-dev libpam0g-dev libpcre3-dev (>= 6.6) libpng12-dev libpq-dev | postgresql-dev libpspell-dev librecode-dev libsnmp9-dev | libsnmp-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev (>= 2.4.14) libxslt1-dev (>= 1.0.18) re2c unixodbc-dev
dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting.
dpkg-buildpackage: (Use -d flag to override.)

I barely have enough time to maintain and develop the site, let alone compile stuff from source. And with the ongoing month of PHP bugs folks would have to do a lot of compiling. Not realistic.

And I'm the lucky one since this is VPS box (where I at least have root) and not a shared hosting environment like most of the poor saps running PHP apps, I reckon.

BTW I'm not even worried about XSS, SQL Injection yet. Just basic stuff, like figuring out the best Apache config that will actually work with drupal and which files (like blahblahxmlrpc.php) I can safely get rid of from my drupal directory without breaking the install..

So real answers yet (although I've started a PHP Security Wiki page) and will also document what I've done on a Hardening Drupal page as well and I'd love any suggestions folks have on the latter.


Thomas said...

My advice: give up, install modsecurity, and apply the most fascist configuration you can give it. I don't trust PHP any further than I can read it.

Matt Franz said...

Yeah and that is reason the site isn't up yet because the most basic apache stuff like disabling indexes broke the installer.