Open source software security

Drupal Core XSS Vulnerabilities

Drupal (https://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal core suffers from multiple persistent (stored) cross site scripting (XSS, or arbitrary script injection) because the core System module fails to sanitize module names and descriptions provided in module metadata files (identified by their .info extension) before display in some locations.

Drupal OM Maximenu Multiple Vulnerabilities

The Drupal OM Maximenu module, prior to versions 6.x-1.44 and 7.x-1.44, contains suffers from a number of vulnerabilities, including several arbitrary script injection (XSS) flaws. The module also gives users with permission to "Administer OM Maximenu" the ability to execute arbitrary PHP with no indication of the power of this privilege. This could allow attackers who gain access to accounts with this permission to compromise the host web server, attack other users, and more.

Drupal Inf08 Theme XSS Vulnerability

The Drupal Inf08 theme, prior to versions 6.x-1.10, contains a XSS vulnerability due to the fact that it fails to properly sanitize taxonomy terms before display. This could allow attackers who have the ability to create taxonomy terms to perform arbitrary script injection attacks via persistent cross site scripting.

Drupal Hotblocks Module XSS and DoS Vulnerabilities

The Drupal HotBlocks module contains a persistent cross site scripting (XSS), or arbitrary script injection, vulnerability due to the fact that it fails to sanitize user supplied data before display. The HotBlocks module also suffers from a denial of service vulnerability due to a user triggered infinite code loop.

Goodbye Drupal

I finally moved my site off of Drupal as a content presentation technology. This decision was the result of a number of factors, including the poor content management capabilities of Drupal, the security implications of the massive code base, the fact that the administrative interface lives in the web root and is accessible globally, and the resource intensive nature of the system, which was causing my site to crash.

Drupal Less CSS Module XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal LESS CSS Preprocessor (hereafter Less) module (https://drupal.org/project/less) "will automatically process any LESS files that are added using drupal_add_css or added through your theme's .info file." The Less module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize Less error messages before display.

Drupal FileField Sources XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal FileField Sources module (https://drupal.org/project/filefield_sources) "lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means." The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display.

Drupal Custom Publishing Options XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Custom Publishing Options module (https://drupal.org/project/custom_pub) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Drupal Creative Commons 6.x-1.0 XSS Vulnerability

The Drupal Creative Commons module (https://drupal.org/project/creativecommons) "allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. It also provides integration between CC and Drupal technology." The Creative Commons module contains multiple persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied input before display.

Drupal Multiblock 6.x-1.3 XSS Vulnerability

The Drupal Mulitblock module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize block descriptions names before display.

Drupal Wishlist 6.x-2.4 XSS Vulnerability

The Drupal Wish List module (https://drupal.org/project/wishlist) "Allows authorized users to submit wishlist nodes to your web site which describe items they would like for a special occasion." The Wish List module contains a cross site scripting vulnerability due to the fact that unchecked URL variables are used to render JavaScript actions on site pages.

Drupal MultiSite Search Module SQL Injection Vulnerability

The Drupal Multisite Search module (https://drupal.org/project/multisite_search) contains a SQL injection vulnerability due to the fact that it doesn't sanitize the user supplied table_prefix value during query construction in the multisite_search_cron() function called when the Drupal cron is run.

Drupal Mobile Tools 6.x-2.3 XSS

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mobile Tools module (https://drupal.org/project/mobile_tools) "provides Drupal developers with some tools to assist in making a site mobile." The Mobile Tools module contains several persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied values before display.

Drupal Data 6.x-1.0 XSS Vulnerability

The Drupal Data module (https://drupal.org/project/data) "helps you model, manage and query related sets of tables. It offers an administration interface and a low level API for manipulating tables and accessing their contents." The Data module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize table names before display.

Drupal Finder 6.x-1.9 XSS and Remote Code Execution Vulnerabilities

Reported: January 6, 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Finder module (https://drupal.org/project/finder) "allows Drupal site administrators to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes." The Finder module contains multiple vulnerabilities including persistent cross site scripting (XSS) and an arbitrary code execution vulnerability.

Systems affected:

Drupal Revisioning 6.x-3.13 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Revisioning module (https://drupal.org/project/revisioning) "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.

Systems affected:

Drupal 6.22 with Revisioning 6.x-3.13 was tested and shown to be vulnerable

Impact

Drupal ManageSite 6.x-1.0 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal ManageSite module (https://drupal.org/project/managesite) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize region names before display.

Systems affected:

Drupal 6.22 with ManageSite 6.x-1.0 was tested and shown to be vulnerable

Impact

Drupal Video Filter 6.x-2.8 XSS Vulnerability

The Video Filter module version 6.x-2.8 contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied third party data before display.

Drupal Vote UP Down 6.x-3.0 XSS Vulnerability

The Drupal Vote Up Down module version 6.x-3.0 contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize taxonomy terms before display.

Drupal Autocomplete Node Finder 6.x-2.9 XSS Vulnerability

The Drupal Autocomplete Node Finder module (https://drupal.org/project/autocomplete_node_finder) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize node titles before display.

Drupal SuperCron 6.x-1.3 XSS Vulnerability

The Drupal SuperCron module version 6.x-1.3, created by 63 Reasons (http://www.63reasons.com/), contains a persistent arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied data before display.

Drupal Webform Validation Module XSS

Reported: August 31, 2011

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Webform Validation module (http://drupal.org/project/webform_validationt) is designed to provide additional verification for nodes using the Webform module (http://drupal.org/project/webform). The Webform Validation module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize rule names or custom error messages before display.

Auditing Drupal Modules for Cross Site Scripting Vulnerabilities

About XSS

Cross site scripting (XSS) is a pervasive problem in Drupal because the development team takes the approach that data should be sanitized upon display rather than input. The rational for this decision is to maintain data integrity despite translation or manipulation. This is a somewhat non-standard approach in web application circles and leads to no small amount of confusion about "trusted" data sources and the display of data. In general, all user supplied data must be filtered upon display. Drupal provides several useful API calls to facilitate this transformation. These include, but are not limited to, filter_xss(), check_plain(), and the t() function. Drupal output sanitization functions must be used carefully and properly, however, especially the t() function as misuse can introduce unexpected vulnerabilities.

First Confirmed Drupal Brute Force

Recently we instituted the Drupal Login Security module on our Drupal sites. This module alerts the site administrator of multiple failed login attempts among other defensive mechanisms. I installed the module in response to a proof of concept that I developed that explored how attackers could enumerate and then brute force Drupal accounts.

Whoops!

Boy, what a terrible weekend! On Friday I found what I thought was a pretty amazing Drupal vulnerability. I reported it at the very end of the day. It was kind of a rush job as I was trying to get out the door, but I thought it was important enough that I wanted to send something in right away. I waited with anticipation for confirmation of my e-mail receipt from Drupal security. Friday night came and went with no word, Saturday waned and I stopped checking my e-mail in the late afternoon. I woke up Sunday morning to find a response from Drupal security.

Theming Views in Drupal 6

Views can be really powerful tools for creating lists or aggregations of node content already on your site. There are several powerful output formats for views including lists and sortable tables. However, if you want to move beyond these displays or add additional HTML or functionality to your view you may choose to apply a theme to it. In the same way that you can theme page, block, and node content you can also theme your views.

Drupal security process evolution

The Register just published an article on recent changes to the Drupal security team's stance to release candidate (RC) status modules. The article notes that Drupal security has clarified their support of modules by specifically removing support for modules RC1 and higher. This is an important change because it means that many more Drupal modules are not supported. Full disclosure: I was quoted for The Register article. I am not a member of the Drupal security team.

Customizing Drupal Content Type Input Forms

I've recently been struggling to alter a form in Drupal associated with the creation of a new node for a specific content type. I wanted something that wasn't as heavy as a module, and I couldn't seem to find a solution using views.

Distributed brute force attacks against Drupal

We're using a combination of Drupal 6 with the syslog module and OSSEC to monitor our Drupal web applications at work. I've noted a frightening trend recently of multiple failed login attempts for the same username from different IP addresses. This appears to be the work of a botnet. The following are some of the logs that we've gotten recently:

Drupal vs. SElinux

SElinux came back to bite me again today during an installation of Drupal 6-19 on a new virtual machine for testing. I had downloaded the tar.gz package from Drupal.org, set up a database, unzipped the package, and was walking through the graphical installation process in my web browser. I would make it to the installation point where Drupal would requested me to copy the ./sites/default/default.settings.php to ./sites/default/settings.php. After copying the file and creating the directory ./sites/default/files I was ready to install.

Protecting Drupal with CAPTCHA

Spam is a persistent problem online. Your Drupal site will very likely face an inundation of spam at some point in its lifetime. Most often this comes in the form of comment spam, usually designed to drive traffic away from your site to the spammer's site, or to increase the search engine rank of the spammer site by hosting links to that target. Most spam injection techniques are automated so that spammers can blast out a large number of links in comments on many different sites with minimal effort.

Drupal 5 Unsupported, Abandoning Users

Drupal 7 came out recently which means that according to Drupal policy (http://drupal.org/documentation/version-info), Drupal 5 is no longer supported. Released in January 2007, Drupal 5 is a venerable and solid solution. This has resulted in many, many sites being built with Drupal 5. Now that Drupal 5 is no longer supported it has become abandonware. Users of Drupal 5 are now left to their own devices in terms of maintenance, patching and upgrades.

Drupal Login Security Module "Bug Fix" Actually Security Update

The Drupal Login Security module (http://drupal.org/project/login_security) recently pushed out a "bug fix" update (http://drupal.org/node/1100502) to the 6.x version of their module. The module addresses a number of small bugs, but buried in the change notices is the rather astounding fix for the issue "#601846: uid 1 not being blocked." This is actually a pretty big deal. After noticing this little gem I hurried to test the older version of Login Security 6.x-1.0.

Drupal Angst

From reading my blog and website you might get the impression that if asked to recommend a CMS I would answer: Drupal. The reality is that I was an unfortunate evangelist of Drupal early on when my work did a CMS evaluation. We looked at the available systems that matched our infrastructure and our requirements and chose Drupal. I ended up learning Drupal in order to implement it in a large, enterprise environment. I sold the system to my co-workers and my superiors and was then invested in supporting it. Sadly, I couldn't have chosen a less fulfilling technology community to join.

Removing PHP Inputs from Drupal

The Drupal content management system allows access to features that enable users to write PHP directly through the Drupal administrative interface. This ability is a security risk because it places Drupal in the role of adjudicating access to the web server process. The ability to write PHP translates directly into access to web server control. In order to harden Drupal installations it is advisable to remove the ability to craft PHP via the web interface. Removing PHP input greatly reduces the threat that an attacker can use the Drupal system to take over the host web server.

Drupal Messaging Module XSS Vulnerability

The Messaging framework module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that the user supplied input is not sanitized before display.

Drupal SWFTools Module XSS Vulnerability

The Drupal SWF Tools module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied input before display.

Drupal Custom Pagers XSS Vulnerability

The Custom Pagers module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize Custom Pagers names before display in the administrative back end interface.

Drupal Panels 5.x-1.2 XSS Vulnerability

The Drupal Panels module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize div classes and id specifications for panels before display.

Drupal Panels Module XSS Vulnerability

Unfortunately the Drupal Panels module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize div classes and id specifications for panels before display.

Drupal Image Module XSS Vulnerability

The Drupal Image module contains a cross site scripting (XSS) vulnerability due to the fact that the module fails to sanitize gallery names before display.

Drupal Embedded Media Field Module XSS Vulnerability

Unfortunately the Embedded Media Field module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize filenames of thumbnail images before display.

Monitoring Drupal with OSSEC

Drupal 6 provides the syslog module by default which allows Drupal to write some log entries directly to the system log. OSSEC open source host based intrusion detection system is a perfect system for monitoring events in a system log. By implementing a custom decoder and a few rules you can easily modify your OSSEC installation to monitor your Drupal site for common attacks, including brute force attacks or other malicious activity.

Drupal Context Module XSS

The Context module contains a cross site scripting (XSS) vulnerability because it fails to sanitize block descriptions before display.

Drupal Better Formats 6.x-1.2 XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Better Formats module (http://drupal.org/project/better_formats) contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Auditing Drupal Modules for XSRF Vulnerabilities

Cross site request forgery (CSRF (pronounced sea-surf) or XSRF) is a trust exploitation that shares many similarities with cross site scripting (XSS). Drupal implements a robust forms API that helps protect against XSRF so these types of vulnerabilities are uncommon in Drupal. Unfortunately they do still exist with certain module implementations. It is important to understand the causes of XSRF in Drupal in order to spot potential problems in module code.

About XSRF

Using Drupal XML-RPC to Bypass Authentication Failure Detection

Drupal provides robust, and largely ignored, XML remote procedure call (RPC) functionality. This functionality is available through the xmlrpc.php file that is available at the Drupal root in any installation. Any module can provide a hook into the XMLRPC interface by providing a moduleName_xmlrpc() function. However, some XMLRPC functionality allows malicious attackers to launch a brute force attack against a site without causing any login failure messages to appear in the site logs.

Drupal provides robust, and largely ignored, XML remote procedure call (RPC) functionality.

Drupal Zen Theme 6.x-1.1 XSS Vulnerability

Drupal is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.

Auditing Drupal Modules for XSS Vulnerabilities

Cross site scripting (XSS) vulnerabilities can have an incredibly damaging effect on a Drupal site. In addition to introducing malware, redirecting users, or other nefarious interactions, arbitrary script on a Drupal site can actually interact with the system allowing an XSS vulnerability to escalate into an account compromise or even a site compromise. Finding XSS vulnerabilities in Drupal modules can be a tricky task, but there are some general guidelines you can follow to ease the task.

About XSS

Securing Drupal User Accounts

Securing a default Drupal installation takes some work and forethought. Drupal has a number of extremely helpful features that enable users to do some powerful things, but many of these features can be used for malicious purposes in the wrong hands. Some of the Drupal features that were intended to make users lives easier are extremely functional, but others only serve a small minority. The features that open vulnerability gaps that are not employed by most Drupal users should be disabled, or removed entirely. Many of the default Drupal features present vulnerabilities that can only be mitigated through careful configuration.

Drupal Twitter Module Credential Exposure

The Drupal Twitter module handles credentials in an unsafe manner, allowing anyone with read access to the Drupal database, or with access to network traffic between the Drupal server and the Twitter API, to observe the full Twitter username and password for Twitter user configured through the module.

Brute Forcing Drupal

Drupal sites typically grant elevated privileges to authenticated users and special privileges to site administrators. If an attacker can compromise account credentials to a Drupal site then they can easily elevate their privileges, perhaps gaining the ability to write arbitrary HTML or even PHP. Once an attacker compromises a valid Drupal account they can begin to leverage their new access to do more damage to the target site, perhaps even to hijack the entire web server process. Drupal uses form posts with predictable formats for user authentication and no defensive measures to prevent a brute force, or password guessing, attack. Furthermore, some Drupal sites facilitate the easy capture of user accounts for the creation of a targeted user list to increase the likelihood of a successful brute force attack.

Monitoring Drupal for Insecure Settings

The Drupal content management system (CMS) is a wonderful for maintaining multiple, user driven and owned websites. From a security context, however, Drupal can present a challenge. Much of Drupal's power comes from its high degree of customization and the fact that users need nothing more than a web browser to maintain a website. Drupal is also described as �community plumbing,� a driving principle that seeks to include the input of website visitors as contributors. These factors combined make Drupal a perfect target for enterprising attackers who wish to post malicious content, spam, and other undesirable material to your websites. Fortunately Drupal includes several technical safeguards to prevent your websites from being compromised, but much of Drupal customizable power, if utilized incorrectly, can actually assist attackers in hijacking your sites.

Drupal 5.20 and 6.14 Filter Module (Core) XSS Vulnerabilities

The Drupal Filter module, part of Drupal core, contains a cross site scripting vulnerability in Drupal version 5.20 and 6.14. This vulnerability could allow attackers that can manipulate the site name variable to inject arbitrary HTML into page display.

Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability

The Drupal Wikitools module versions 6.x-1.2 and 5.x-1.3 contain cross site scripting vulnerabilities due to the fact that they fail to sanitize the output of content type names before display. This vulnerability could allow attackers who can craft content type names to inject arbitrary HTML into pages.

Drupal 5 to 6 Upgrade

Drupal supports two versions at any given time (a major and a minor). Currently these are Drupal 6 and 5 respectively. This scheme ensures that Drupal is always fresh, but with new versions constantly in the works (Drupal 7 is floating around now) it also means that at some point you'll have to upgrade your Drupal site in order to keep it in support. Upgrading is always a scary process, and I recently upgraded a site from Drupal 5 to Drupal 6. Unfortunately the process didn't go as smoothly as this screencast makes it seem, but it wasn't a total disaster. The biggest hurdles for me were fixing friendly URLs. Tthey weren't working after the upgrade, but figuring out the "unfriendly" versions of link targets to use so I could get them working was a chore. I needed the friendly URL settings to be correct before the upgrade.php script would even work properly.

Drupal 6 Core Cross Site Scripting Vulnerabilities

Drupal 6.12 core contains two oft used functions that fail to properly sanitize output. Drupal utilizes the non-standard method of user supplied input sanitizing by scrubbing data as it is retrieved from the data layer, rather than as it is submitted. This leads to many instances of confusion amongst developers and vulnerabilities in Drupal modules. Even the Drupal core is not immune to these sorts of errors. Cross site scripting vulnerabilities, or the injection of arbitrary HTML into the data layer that is later rendered without being sanitized, can lead to compromise of Drupal user accounts.

Drupal Content Access Module XSS Fun

After my latest Drupal module vulnerability disclosure (a cross site scripting (XSS) vulnerability in the Drupal 6 Content Access module) I was contacted by a reporter from a pretty big British news agency who wanted details about the problem. Given the large number of Drupal sites on the web it must have seemed like a vulnerability was a pretty big deal. I quickly responded and let him know that the vulnerability remained relatively obscure and difficult to exploit and probably wasn't worth his time but it got me thinking. Security is a pretty broad field and I spend most of my time on one extreme. Asking me about computer security and privacy is probably a lot like asking a law enforcement agent about home security - you're going to get an answer colored by experience.

Is Drupal Ready for the Enterprise?

Drupal (http://drupal.org) is a robust, long lived, and quite vibrant open source content management system (CMS) supported by a broad community. Although Drupal has many of the trappings of an enterprise level CMS such as dedicated development and security teams, commercial backing from companies like Acquia and others, it may not be fully ready for the enterprise. I will define enterprise software as large scale software that supports a diversity of users, separation of privilege and roles, and support for business work flow management.

Drupal 6 CCK Module Allows Arbitrary PHP Injection

Drupal 6 does a rather good job of preventing unauthorized users from injecting PHP into content in order to take control of the web server. Unlike Drupal 5, Drupal 6 does not have a default PHP input type, which is a huge leap forward in preventing users from crafting PHP. This helps protect the web server from compromise should someone gain Drupal credentials. The Drupal site touts this new feature.

The Case For and Against Drupal

I've spent a lot of time in my professional career touting Drupal as a solution for enterprises looking to offer web application capabilities without the massive overhead of a development team. Drupal is a great tool to support these sorts of endeavors, but lately I've been asking myself if it makes sense to use Drupal to power smaller projects. Drupal provides a host of features and functionality that make it easy to implement a complex web application and provides robust management and reporting capabilities. However, if you're not using these features then they become bloat.

Drupal Brilliant Gallery 5.x-4.1 SQL Injection Vulnerability

The Brilliant module (http://drupal.org/project/brilliant_gallery), created by Vacilanda (http://www.vacilando.org/) is designed to allow users to easily create dynamic picture galleries by uploading images directly to a server and including code directly within nodes to display the gallery. Unfortunately the module contains a SQL injection vulnerability.

Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities

Drupal 6.14 and 5.20 suffer from cross site scripting vulnerabilities because they fail to properly sanitize the 'site name' and 'site slogan' values in the HTML headers, allowing attackers with privileges to alter these values to inject arbitrary HTML.

Tips for Securing Drupal

Keep your Drupal installation and modules up to date. Subscribe to the security mailing list at http://drupal.org/security. When you see announcement be sure to upgrade in a timely manner.

ablog_Update your Drupal Instance

The Drupal team released a critical announcement today advising that all users update their Drupal 5.x and 6.x installations. Several vulnerabilities exist within the Drupal core that could be used by remote attackers to exploit cross site scripting (XSS), session fixation and SQL injection vulnerabilities. Because it doesn't take attackers long to reverse engineer exploit code after a patch is released (see http://www.madirish.net/?article=212) it is important to upgrade your Drupal installation as soon as possible. The full text of the announcement follows and can also be found at http://drupal.org/node/280571: ------------SA-2008-044 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------ * Advisory ID: DRUPAL-SA-2008-044 * Project: Drupal core * Version: 5x, 6.x * Date: 2008-July-9 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities ------------DESCRIPTION------------

Creating Drupal External Authentication

Recently I recommended that my employer, the University of Pennsylvania School of Arts and Sciences, begin pushing Drupal as a CMS solution for departmental websites. There were a lot of factors to consider when evaluating the various CMS solutions available, especially for an institution of higher education. We took a look at a number of CMS solutions and based our evaluation on a wide breadth of criteria. Ultimately we scored each of the CMS solutions based on a common set of benchmarks. Typo3 was actually our first choice for deployment. Typo3 has a strongly tiered, but central deployment that allows you to set up test, staging and production servers but also maintain a single central deployment from which a multitude of sites can be run.

Exploiting Drupal Node2Node XSS Vulnerability

The Drupal Node2Node module was recently flagged by the Drupal security team as insecure and unmaintained (http://drupal.org/node/572852). The module was subsequently unpublished by Drupal, removing it from the main site downloads. This means that the module is no longer supported by Drupal. The Drupal security team announcement did not specify what vulnerabilities were contained within the Node2Node module, but a quick glance at the code and some testing quickly reveals a cross site scripting (XSS) vulnerability in the Node2Node module. To exploit the vulnerability simply follow the proof of concept steps below:

Drupal 6.22 Core XSS Vulnerability

Drupal 6.22 core contains a cross site scripting vulnerability in the user module.

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various core modules. The user module controls user login and management. The user module's access rules functionality contains a persistent cross site scripting vulnerability because it fails to sanitize mask values before display.

Systems affected:

Drupal 6.22 was tested and shown to be vulnerable.

Drupal Download Count Module XSS Vulnerability

The Drupal Download Count module (http://drupal.org/project/download_count) is designed to keep track of file downloads on Drupal sites. This module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied input before display.

Drupal Core Color XSS Vulnerabilities

Recently the Drupal team released a security upgrade to the Drupal core to versions 6.21, 6.22, 7.1 and 7.2. These updates fixed several security flaws, the most commonly exploitable of which is a flaw in the core color module that allowed an attacker who could gain access to the color picker widget (for instance through the theme administration) to perform cross site scripting (XSS) attacks. This flaw resulted in a persistent XSS vulnerability in the Drupal core.

Securing Drupal 7

As Drupal 7 becomes more popular it will also become a larger target for attackers. It is important to take steps to keep your Drupal 7 installation secure. The following are a set of guidelines that can be used to ensure the stability and security of your Drupal 7 installation. Some of the suggestions might be considered a little paranoid, but it's always better to be safe than sorry, and layers of defense will help defeat determined attackers.

The arrival of Drupal 7 has generated a lot of excitement.

Drupal Flag Module 6.x-1.1 XSS Vulnerability

The Flag module version 6.x-1.1 contains a cross site scripting vulnerability because it does not properly sanitize output of role names before display during flag creation.

Drupal NodeQueue 6.x-2.1 XSS Vulnerability

The NodeQueue module version 6.x-2.1 suffers from a cross site scripting (XSS) vulnerability due to the fact that it does not properly sanitize taxonomy names during display.

Drupal Views 6.x-2.5 XSS Vulnerability

The Drupal Views module 6.x-2.5 contains a cross site scripting (XSS) vulnerability. XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Drupal Taxonomy Manager 6.x-1.0 XSS Vulnerability

The Drupal Taxonomy Manager version 6.x-1.0 suffers from a cross site scripting vulnerability because it fails to properly sanitize the "Vocabulary name" during output, allowing for the injection of arbitrary HTML.

Drupal Email Field 6.x-1.1 XSS Vulnerability

The Drupal Email Field module version 6.x-1.1 contains a cross site scripting vulnerability due to the fact that it fails to sanitize help text entered by users during content type configuration.

Drupal Flag Module 6.x-1.1 Multiple Vulnerabilities

The Drupal Flag module version 6.x-1.1 contains several cross site scripting vulnerabilities because it does not properly sanitize output of role names before display. The flag module also contains cross site scripting vulnerabilities because it fails to properly sanitize content type names. Additionally the Flag module contains a SQL injection vulnerability because it does not properly sanitize variables before concatenating them into a SQL query.

Drupal Embedded Media 6.x-1.0 Multiple XSS

The Drupal Embedded Media Field module version 6.x-1.0 contains several cross site scripting (xss) vulnerabilities because it does not properly sanitize the output of 'Help text', 'Custom thumbnail label', of 'Custom thumbnail description' specified when creating an Embedded Media Field content type field.

Drupal Content Access Module 6.x-1.1 XSS

he Content Access Module suffers from a cross site scripting vulnerability because it does not sanitize role names before displaying them on the 'Access Control' screen of managed content types. This vulnerability is exacerbated by the fact that Drupal 6.12 core does not perform input validation on role names as they are being created. This can lead to a situation where users administering role based access controls of content types could be exposed to malicious HTML content.

Drupal 6.12 (core) User Module XSS Vulnerability

he user module is provided as part of the Drupal 6 core modules and contains a cross site scripting (XSS) vulnerability that can allow users with the 'administer permissions' permission to inject arbitrary HTML into role names. Users with 'administer permissions' permission could create new roles containing malicious JavaScript and silently attack site administrators. While users with this permission could elevate the permissions of their own role using permissions they have been granted, this flaw could allow for a "stealth" attack vector.

Drupal CCK 6.x-2.2 XSS Vulnerability

The Drupal CCK module version 6.x-2.2 contains a vulnerability that could allow an authenticated attacker to inject arbitrary script into administration screens for content types.

Drupal 5.17 Taxonomy (Core) Module Contains XSS Vulnerability

Drupal 5.17 Taxonomy module, which is part of the Drupal core and is enabled by default upon installation, contains a cross site scripting vulnerability that allows users with the 'administer taxonomy' permission to inject arbitrary HTML in the help text of any Category vocabulary.

Drupal CCK 5.x-1.10 XSS Vulnerability

The CCK module version 5.x-1.10 contains a cross site scripting vulnerability because it does not properly sanitize output of group labels before display.

Dangers of Drupal Cron

Cron is the Unix scheduling daemon used to run tasks at regular intervals. Cron is included with Unix, Linux, and Mac OS and is frequently present on LAMP installations with Drupal. Drupal is a complex web application and content management system (CMS) and it relies on certain administrative and maintenance tasks to be performed at regular intervals. Every Drupal installation includes a PHP script called 'cron.php' that can be called directly through a browser in the same way as the rest of the Drupal installation. This script, when called, triggers several background tasks, but does not display any information directly. While it is conceivable to simply visit the cron.php page on a regular basis to perform Drupal administrative tasks, it is much easier to schedule a call to this page.

Drupal Password Reset via XSS

There have been quite a few Cross Site Scripting (XSS) vulnerabilities discovered in Drupal modules recently. Many people scoff at XSS and even argue that it's a low threat vulnerability. In many cases this is certainly true, however XSS can be used as an element in an attack that leverages other security weaknesses to devastating consequence. A case in point is the password changing option in Drupal. Drupal does a wonderful job in preventing against Cross Site Request Forgery (XSRF or CSRF) by placing tokens in forms to validate posts. Drupal provides a token in the id "edit-user-edit-form-token" in the edit user form (found at ?a=user/X/edit where X is the user id number). A sample value contained in this hidden form field is "5545a410de3662f1844af7ee6f1ee770" - a value sufficiently long and random that an attacker would have great difficulty in guessing the value. However, the Drupal account page doesn't require users to enter the current account password in order to change the password to a new value. This flaw, combined with a well crafted XSS attack, could be used to change a user's password to an arbitrary value. What's worse, Drupal uses session cookies by default that can keep users logged into the site for days. This means that a user could be the victim of a password changing attack and not even realize their password had been changed for some time (until their session cookie timed out or they logged out of the site) when they were forced to log back in to the site. The user would still be able to request a password reset via e-mail, so they would not be locked out of the site, but they might have their account hijacked for some time in the interim.

Drupal Leaking Version Information

The Drupal content management system (CMS) is powered by many modules that extend the capabilities of the base system. Vulnerabilities in contributed modules are the source of many of Drupal's security woes. Determining module version information allows attackers to target sites with vulnerable modules. There are many means for attackers to profile Drupal sites to determine which modules are installed and the version installation.

Exploiting the Drupal Suggest Terms Module

The Drupal Suggested Terms module is a convenience module that helps a content producer by presenting a hyperlinked list of taxonomy terms that can be clicked to populate category vocabulary. However, in versions prior to 5.x-1.2 a cross site scripting (XSS) vulnerability exists. This vulnerability was announced on June 25, 2008 in SA-2008-039 and requires that a malicious user be able to create or edit content using the suggested terms module.

Developing Drupal Module Exploits

Drupal is a wonderful Content Management System (CMS) that comes with a lot of extensible functionality. While the Drupal security team does a great job of making sure the core modules distributed with Drupal are secure, there are a host of third party contributed modules that often contain security problems. In this tutorial I'm going to pick on one module in particular and show you how to deduce security holes based on announcements to the Drupal security list.