Drupal Security Notice 2013-003 Optimization

Vendor Supplied Security Enhancements via Htaccess Rules

Recently Drupal 7.24 was released. This released included Security Notice SA-2013-003. This notice mentions that malicious files uploaded to a Drupal website’s Files directory may be able to be executed erroneously. Uploaded files should never be able to be executed on the server — this is a best practice for any web framework or stack.

In order to address this matter Drupal 7.24 can create Apache htaccess rules which stop the execution of PHP scripts in upload directories. But, htaccess files come with a penalty when used in a production environment. Here is an overview of how to take these rules and apply them to your VirtualHost configuration.

Optimizing the Security Fix

.htaccess files are just convenience mechanisms to change Apache configuration without needing to restart Apache (.htaccess are scanned/run any request) — for performance reasons you may want to place any directives in .htaccess files directly into a vhost entry so the configuration is loaded and stored only one time; on Apache startup.

From the security notice SA-2013-003:

Warning: Fixing the code execution prevention may require server configuration; please read:

To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site’s .htaccess files in the files directories. Until you do this, your site’s status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files.

To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the public files directory and temporary files directory, and (for Drupal 7 only) the private files directory if your site is configured to use one.

So you take whatever is in the .htaccess file in your websites configured files directories (public, private, etc) and assure those same rules are in the vhost entry for the same set of directories. Typically you do this with a <Directory> directive:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
......
<VirtualHost 123.123.123.123:80>
    DocumentRoot /var/www/html/mysite1.de
    ServerName mysite1.de
    ServerAlias mysite1.de *.mysite1.de

    <IfModule mod_rewrite.c>
        <Directory "/var/www/html/mysite1.de">
            RewriteEngine on
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_URI} !=/favicon.ico
            RewriteRule ^ index.php [L]
        </Directory>
    </IfModule>

    # Enforce new security rules from SA-CORE-2013-003.
    # repeat this block as needed per known "files" directories.
    <Directory "/var/www/html/mysite1.de/sites/default/files">
      # Turn off all options we don't need.
      Options None
      Options +FollowSymLinks

      # Set the catch-all handler to prevent scripts from being executed.
      SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
      <Files *>
        # Override the handler again if we're run later in the evaluation list.
        SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
      </Files>

      # If we know how to do it safely, disable the PHP engine entirely.
      <IfModule mod_php5.c>
        php_flag engine off
      </IfModule>
    </Directory>
</VirtualHost>

It doesn’t matter if the default web directory has AllowOverride None; typically another conf file included down the apache startup chain, or the virtual host loading setup (such as the following in Ubuntu) can be tweaked to allow any combination of Overrides:

# Ubuntu apache2.conf last line ...
# Include the virtual host configurations:
Include sites-enabled/

This is just saying include *.conf from sites-enabled these don’t have to be vhost entries they can be any files with apache directives (but its cleanest to have them be vhost entries) and apache loads the configuration files following a filename pattern/sort.

Looking for quality Drupal Web Hosting? Look no further than Arvixe Web Hosting!

Tags: , , , , , , , , | Posted under Drupal | RSS 2.0

Author Spotlight

David Gurba

David Gurba

I am a web programmer currently employed at UCSB. I have been developing web applications professionally for 8+ years now. For the last 5 years I’ve been actively developing websites primarily in PHP using Drupal. I have experience using LAMP and developing data driven websites for clients in aviation, higher education and e-commerce. If you’d like to contact me I can be reached at david.gurba@arvixe.com

Leave a Reply

Your email address will not be published. Required fields are marked *


× 2 = 10

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>