fix: "Mitigated RCE vulnerability by updating Drupal and enhancing security configurations"

owasp-top10-2021-apps/a5/vinijr-blog/app/contact.php

@@ -1,12 +1,26 @@
 <?php
+libxml_disable_entity_loader(true);
+
 $xmlfile = file_get_contents('php://input');
+
 $dom = new DOMDocument();
-$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
+
+$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NOERROR | LIBXML_NOWARNING);
+
 $contact = simplexml_import_dom($dom);
-$name = $contact->name;
-$email = $contact->email;
-$subject = $contact->subject;
-$message = $contact->message;
 
-echo "Thanks for the message, $name !";
-?>
+if (isset($contact->name) && isset($contact->email) && isset($contact->subject) && isset($contact->message)) {
+    $name    = htmlspecialchars($contact->name, ENT_QUOTES, 'UTF-8');
+    $email   = filter_var($contact->email, FILTER_VALIDATE_EMAIL);
+    $subject = htmlspecialchars($contact->subject, ENT_QUOTES, 'UTF-8');
+    $message = htmlspecialchars($contact->message, ENT_QUOTES, 'UTF-8');
+
+    if ($email !== false) {
+        echo "Thanks for the message, $name!";
+    } else {
+        echo "Invalid email address!";
+    }
+} else {
+    echo "Invalid XML format!";
+}
+

owasp-top10-2021-apps/a6/cimentech/app/html/.htaccess

@@ -2,7 +2,7 @@
 # Apache/PHP/Drupal settings:
 #
 
-# Protect files and directories from prying eyes.
+# Additional security protection for critical files and directories
 <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
@@ -12,7 +12,17 @@
   </IfModule>
 </FilesMatch>
 
-# Don't show directory listings for URLs which map to a directory.
+# Protect the uploads directory to prevent PHP script execution
+<Directory "wp-content/uploads">
+  <IfModule mod_php7.c>
+    php_flag engine off
+  </IfModule>
+  <IfModule mod_php8.c>
+    php_flag engine off
+  </IfModule>
+</Directory>
+
+# Prevent directory listings for URLs mapping to directories.
 Options -Indexes
 
 # Follow symbolic links in this directory.
@@ -149,6 +159,26 @@ DirectoryIndex index.php index.html index.htm
 
 # Add headers to all responses.
 <IfModule mod_headers.c>
-  # Disable content sniffing, since it's an attack vector.
-  Header always set X-Content-Type-Options nosniff
+  # Disable content sniffing to avoid attack vectors.
+  Header always set X-Content-Type-Options "nosniff"
+
+  # Protection against XSS attacks
+  Header set X-XSS-Protection "1; mode=block"
+
+  # Protect against Clickjacking
+  Header always append X-Frame-Options SAMEORIGIN
+
+  # Protect against content and command injections
+  Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';"
 </IfModule>
+
+# Prevent script execution in wp-includes directory (applicable for WordPress)
+<IfModule mod_rewrite.c>
+  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
+</IfModule>
+
+# Prevention against illegitimate requests in WordPress
+<Files xmlrpc.php>
+  Order Deny,Allow
+  Deny from all
+</Files>

owasp-top10-2021-apps/a6/cimentech/deployments/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.3'
 
 services:
   drupal:
-    image: drupal:7.57
+    image: drupal:7.101
     container_name: drupal
     environment:
       POSTGRES_PASSWORD: example