Neutralizing the effects of Heartbleed in Drupal 7
Surely everyone knows that on April 8, 2014, The OpenSSL Project employees released a security bulletin that reported the critical vulnerability CVE-2014-0160 in the popular OpenSSL cryptographic library.
More information about this vulnerability has already been written on Habré , and here we will look at how to secure your Drupal site.
You can check whether your site is vulnerable by using this service - http://filippo.io/Heartbleed/ (or to taste - http://possible.lv/tools/hb/ or http://www.ssllabs.com/ ssltest / ).
Since The vulnerability concerns SSL, then you need to check only HTTPS hosts.
If you are unlucky and there is a vulnerability, then first of all you need to update the OpenSSL library, or contact support in case of a rented hosting.
Next, we will consider the points that I would recommend to everyone, regardless of the previous test, because by the time of your check, the vulnerability could have been closed and it was impossible to find out if it was exploited.
')
You need to change the SSL certificates based on the new private key and revoke the old certificates.
These items are pretty specific. And depend on where you bought the certificates.
If you are using SSO authentication, then you need to replace your private key. For example, in the case of the Bakery module, the key can be replaced on the module settings page.
There are three ways to do this:
Here you can advise the following:
This seems to be all.
More information about this vulnerability has already been written on Habré , and here we will look at how to secure your Drupal site.
You can check whether your site is vulnerable by using this service - http://filippo.io/Heartbleed/ (or to taste - http://possible.lv/tools/hb/ or http://www.ssllabs.com/ ssltest / ).
Since The vulnerability concerns SSL, then you need to check only HTTPS hosts.
If you are unlucky and there is a vulnerability, then first of all you need to update the OpenSSL library, or contact support in case of a rented hosting.
Next, we will consider the points that I would recommend to everyone, regardless of the previous test, because by the time of your check, the vulnerability could have been closed and it was impossible to find out if it was exploited.
')
Change SSL certificates
You need to change the SSL certificates based on the new private key and revoke the old certificates.
These items are pretty specific. And depend on where you bought the certificates.
Replace private variable values
- Drupal_private_key update
using hook_update ()function your_module_update_X() { variable_set('drupal_private_key', drupal_random_key()); }
or drush teamdrush eval “variable_set('drupal_private_key', drupal_random_key());” - Drupal_hash_salt update
using hook_update ()function your_module_update_X() { variable_set('drupal_hash_salt', drupal_hash_base64(drupal_random_bytes(55))); }
or drush teamdrush eval “variable_set('drupal_hash_salt', drupal_hash_base64(drupal_random_bytes(55)));”
Replace the private key SSO-authentication
If you are using SSO authentication, then you need to replace your private key. For example, in the case of the Bakery module, the key can be replaced on the module settings page.
Delete active sessions
There are three ways to do this:
- Session expire module
- sql query in the database terminal or phpmyadmin:
TRUNCATE TABLE sessions - drush command:
drush sqlq 'TRUNCATE TABLE sessions'
Reset passwords to users with broad access rights (or better to all users)
Here you can advise the following:
- notify users about the need to change the password, and hope for their consciousness
- forcibly change passwords to users, with the appropriate notification by mail. Mass Password Reset module can help .
- If the previous version in your opinion is too scary for users, you can use the Password policy module. With it, you can make all passwords “expired”, which means the next authorization will need to change the password. In general, I recommend using this module always. It is included in the list of modules recommended by Akvoy to increase the security of the site.
This seems to be all.
Source: https://habr.com/ru/post/220013/
All Articles