Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

Actual irony?

[TWX]

SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks

Would this be actual irony, as opposed to Alanis Morrissette irony?

Re:Actual irony?

It's amazing hubris as well.

Re:Actual irony?

This would be actual irony.

Re:Actual irony?

[Jaime2]

Not only is it ironic, it's a good thing. If people use this module, then they are a single patch away from fixing every occurrence of this bug. If they don't use this module, then they have to find all of their code that is similarly flawed and fix each instance individually. It's not like doing a database lookup with an IN is a rare thing; roll-your-own implementations are likely to be broken too.

Re:Actual irony?

[bill_mcgonigle]

Would this be actual irony, as opposed to Alanis Morrissette irony?

That a song with that name contains no actual examples of irony is ______.

This message brought to you by Deep Metathinking and the Number 12.

Re:Actual irony?

Alanis Morisette's things are actual irony. Most people just don't know why specific ones are ironic and/or don't get lots of irony. Look it up

Re:Actual irony?

[unrtst]

... roll-your-own implementations are likely to be broken too.

As far as I can tell, this module uses custom placeholders in queries, and then replaces those with the user supplied values, building a string that can be passed to the DB as SQL without database placeholders. IE. it's not building something like:

        $db->prepare("SELECT name FROM table WHERE something IN (?,?,?)")
        $db->execute( @parameters );

It's building something like:

        $db->prepare("SELECT name FROM table WHERE something IN ($param[0], $param[1], $param[2])")

That's always more risky. DB placeholders are not a silver bullet, but they're damn close. /disclaimer, I didn't thoroughly audit the code, so maybe it is somehow using db placeholders, but the method in question doesn't look like it is.
See line 739 here: http://cgit.drupalcode.org/dru...
Patch for users that don't want to do a full upgrade and are on 7.0 - 7.31: https://www.drupal.org/files/i...

Re:Actual irony?

[TWX]

Rain on a wedding day isn't ironic, as rain could happen on any calendar day of the year in most climates. It may be statistically more or less likely in given seasons, but it's not impossible on the surface of it.

A woman meeting the man of her dreams, and his wife is definitely not ironic, as it's very likely that many women admire the same qualities in men. That becomes a matter of who met whom in what order, and the wife happened to get there first while presenting the qualities that he admired.

The comment on cutlery isn't ironic, because there's no context to set it up as irony. It's simply a matter of having one incorrect thing in abundance, and not having the one correct thing.

I'm sure that others have gone through all of the statements from the song, so I'll stop there.

Re:Actual irony?

[carrier+lost]

Rain on a wedding day isn't ironic...

Agreed.

Irony is rain on the wedding day of a couple of meterologists.

I may be wrong, but I think that coincidence is 2-factor, irony is 3-factor

Re:Actual irony?

Not quite. Irony is opposites. E.g. A fireman rescues an old woman from a 10 story burning building, but drops her to her death on the way down the ladder.

Re:Actual irony?

[Jaime2]

Yeah, they screwed up the implementation. But at least they provide a consistent way to pass a list-type argument to a database command. Once the implementation is hardened, everyone who uses it will be a little more secure.

Re:Actual irony?

[sootman]

"It's like SQL injectiooooooon, on a module that's designed specifically to help prevent SQL injection attaaaaaaaaaaacks"

It practically writes itself!

Re:Actual irony?

From the OED on ironic:

2. A condition of affairs or events of a character opposite to what was, or might naturally be, expected; a contradictory outcome of events as if in mockery of the promise and fitness of things.

I would say the "ironic" situations in her song are ironic. For example, rain on a wedding is a condition opposite to what is naturally expected. Normally people expect no rain on their wedding day.

Re:Actual irony?

[ls671]

All we have to do is make the algorithm recursive so it fixes sql injection problems in its own code. Simple.

Re: Actual irony?

Moronic?
See, I combined her name with her song.

Re:Actual irony?

No. People hope for no rain on their wedding day. That's a different thing.

Re:Actual irony?

[carrier+lost]

I believe that's just sad coincidence, it's missing a third factor.

It would be ironic if she were dropped off the ladder AND her family owned the ladder factory.

Irony be tricky.

not a big surprise

worked with an older version of drupal ages ago..

Not a surprise the code quality and design was fucking awful then, and I wouldn't expect it to be any better now if the same coders made V7

Re:PHP

They were set up by trying to roll their own sql sanitation code instead of just using the existing prepared statements options that PHP has. Did they write their own AES implementation as well?

Drupoomlaymfonyaravelpress CritVuln of the week

Neither security through obscurity nor "not invented here" syndrome are my favorite things, but I've learned to stay away from these PHP frameworks because you can stay up 24/7 and still not patch in time. Same goes with phpBB or vBulletin or whatever. Inevitably there are core vulnerabilities discovered and they spread rapid fire through automation. I sleep easier knowing that while my own team's code surely isn't perfect, any critical errors are our own, are unique to our surface, and can't be discovered/wormed/exploited through automated google searching. If you're going to build a large PHP web presence, hire competent developers and do it yourself.

Re:Drupoomlaymfonyaravelpress CritVuln of the week

So your team does a halfassed job reinventing wheels :) Good to know, I'll make sure to not hire your company for my projects. Considering this vulnerability literally took 20 seconds to fix on our 100+ sites, we'll stick with the professionals.

What about Drupal 6?

[joelsherrill]

The story only mentions Drupal 7. Is Drupal 6 or 8 impacted?

Re:What about Drupal 6?

[yelvington]

Drupal 6 does not use the affected abstraction layer.

Re:What about Drupal 6?

[MightyMartian]

Gods save us from poorly-designed abstraction layers designed to do things "better".

Re:What about Drupal 6?

[meustrus]

Does not affect Drupal 6. Not sure about Drupal 8, but if you're concerned about the security of your website run on beta releases you're doing it wrong.

Re:What about Drupal 6?

[MightyMartian]

Heh heh :)

Re:What about Drupal 6?

Unless you program in assembler, just shut the fuck up.

Re:What about Drupal 6?

If you're on Drupal 8, you should only be receiving your code as updates by using 'git pull' anyway. The beta is just something with a nice ring to it, that made sense at a certain point in time, because all the beta-blockers were fixed.

Re:What about Drupal 6?

[Lunix+Nutcase]

Notice they said "poorly-designed abstraction layers" not "all abstraction layers." Oh and FYI, assembly langauge mnemonics are an abstraction layer so your comeback fails even more.

Re:PHP

[benjymouse]

How do prepared statements handle the not uncommon situation where you want to include an "in" clause? For example:

select * from customers where city in ?citylist

This was the problem they tried to solve by dynamically creating a statement like:

select * from customers where city in (?city-1, ?city-2, ?city-3)

So, to generate the -1, -2, and -3 parts they relied upon the index of the array.

Only in PHP an array will turn around and bite you with it's dual personality as a hash table. A hash table where one key was not "-1" but rathersomething like (pseudo):

-1); drop table students; --

You cannot really fault the Drupal developers for trying to support this commonly occurring pattern, for which there are no good solutions with plain prepared statements. After all, if they could write secure code for a common problem that could prevent less experienced developers for falling back to error-prone and insecure string interpolation.

Don't get me wrong: The drupal developers is at fault. But they were set up by the criminally insecure PHP.

php sucks

I have never seen any php apps that run fast. PHP is crap. They are all a magnitude slower than javascript . Javascript sucks. Perl is perfect!

Re:php sucks

[drinkypoo]

Javascript sucks. Perl is perfect!

If only mod_perl weren't such a motherbitch, perl would be perfect.

Re:php sucks

Don't use mod_perl. Just use perl.

Re:PHP

[Jaime2]

Microsoft SQL Server has both an XML data type and a table-valued parameter that can be used to pass an arbitrarily long list of values in a single parameter. Does MySQL not have an equivalent, or maybe it does and PHP doesn't support them?

At this surprises who?

[Mysticalfruit]

I'm surprised it took this long! While not a PHP programmer, I've looked at some bits of the code and it's a bloody mess.

php should get a new motto: "Please Hijack our Platform"

Re:At this surprises who?

[Aethedor]

PHP done right. I challenge you to find a security leak.

Re:At this surprises who?

We get it. You're not a noob PHP "developer". You're one of those cool dudes who uses a real man's language and get's all the girls! ( and get's modded insightful for it )

I do both php and python, and while I prefer Python, there is nothing out there written in Python ( or any language, to my knowledge ) that comes close to being as efficient as Drupal in terms of time spent getting to launch. And yes that includes Django, which IMO is really only useful for low level APIs. It offers no tools for efficient UX design, and forces you to do boiler plate html and js coding.

Admittedly, I'm not a purist. I'm surprised so many of you are. Your language of choice seems to be a huge part of how you define your identities, as evidenced by how you can never resist the urge to elevate yourselves by again proclaiming your hatred of PHP. I just don't get that. To me that's as ridiculous as hating the fans of a different sports team from your favorite one. Actually more so.

For me, having satisfied and happy users and making money is far more important to me than my code resembling poetry or what language it's written in ( your end users don't care either ), so I refuse to be anything other than completely pragmatic about the tools I use.

Also, Zuckerberg used PHP, and I bet you all consider yourselves better devs than him.

Re:At this surprises who?

It is true that Drupal is a good prototyping tool, but I wouldn't marry it. In my current job, we are having constant trouble with Drupal: it's slow as a dog, the myriad of third-party modules don't work well together, buggy and hard to update/migrate. Developing original modules of any complexity is harder than just writing from scratch, in exchange for very little in terms of maintainability.

I've had much more success with either WordPress for the standard websites and Symfony or Yii for more involved applications. Symfony has a slightly longer time to market, but the end result is much easier to live with in the long run. Yii is great for small tools that you need to deploy yesterday, while providing acceptable maintainability.

Re:At this surprises who?

That's great, but all of those other options use PHP as well.

Re:At this surprises who?

I've worked with Drupal for many years, and I've never had to live with a page load time of over one second for regular requests that don't do any heavy lifting. Mostly they are in the 400-700ms range. If your requests are taking longer than that you are doing something wrong, like using some really shitty modules or not profiling and optimizing the application.

As for modules being hard to write, that isn't my experience at all.

Re:At this surprises who?

Drupal is a disaster. WordPress is a disaster. Joomla is a disaster.

There I said it and now I feel better.

Whatever happened to the good ol' days of writing a 'header.php' and a 'footer.php' file and then being done with it? Why did we have to get all fancy? I don't know of any end users who actually use these CMS platforms without extensive training - almost to the point that they might as well learn HTML and CSS. Even with training, most still don't pick it up and understand it. In fact, I've heard plenty of stories where a website developer takes on a contract and uses one of the major CMS products and ends up making all of the content changes anyway for their clients and they've told me that it would have been simpler and faster to just code it themselves.

MOD parent up!

Spot on.

PSN has an open SQL Injection flaw

Sony haven't learned from the 2008 and 2011 lack of input sanitation. Today we learn customer data is available from yet another SQL injection attack. They've been sitting on it for a couple of weeks, it remains exploitable.

Give if half a day before the press bothers to report on it.

Re:HAHAHA Little bobby tables

[meustrus]

Tip to moderators: There is no mod category "Sad". The best response is to ignore it, because then those who can recognize a completely unmoderated post will appreciate the metahumor.

Valuable lesson learned

[NaughtyNimitz]

I did some websites in Drupal, but now I am steering clear of Drupal and the likes (Wordpress,...)

Now 100% of my projects are in my custom CMS where obfuscation is the rule.

Re:Valuable lesson learned

[drinkypoo]

Now 100% of my projects are in my custom CMS where obfuscation is the rule.

So now instead of many eyes on your CMS, there are only yours? People who keep up with their updates don't really have to worry about this. I used to check my site status page daily, but I noticed that I get notified of all the major Drupal patches by Slashdot, which is handy.

Re:Valuable lesson learned

custom CMS where obfuscation is the rule.

Security through obfuscation is more or less security through obscurity. A double application of security through obscurity (once with the custom platform, once with the obfuscation) is about as effective as a single application of it; not at all.

Re:Valuable lesson learned

That's nonsense. Go look at what eventually happened to HB Gary Federal and how all that started, (by using a custom CMS).

Your best bet is to pay close attention to security releases, and be thankful the for the Drupal Security Team which is on top of these issues. For more clarity, read these:

https://www.previousnext.com.au/blog/drupal-732-critical-update-our-response

https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-injection-announcement

Seriously, compared to the Drupal Security Team which I know about, what other CMS' have such thorough teams and processes? Use Drupal and the same folks that look after the websites for the US Congress, the White House, and many other government websites become your Security Team, for free. Just learn to do your part properly.

Re:Valuable lesson learned

Waiting for news of Drupal security releases on Slashdot is very ill-advised. Had you not updated your Drupal 7 site by the time you heard of it on the Slashdots, you were almost certainly hacked and automatically patched already by those hackers locking up their bounty.

Re:Valuable lesson learned

Depends who you are defending against. If it is 99% of the script kiddies out there who have an exploit downloaded from the net for platform X version Y, then guess what?

Re:Valuable lesson learned

Nice! So attackers can get ALL your client data, and you are helpless to defend against it because of your hubris. And your vulnerabilities will persist for years or even decades!

Re:Valuable lesson learned

[NaughtyNimitz]

Well, if you have 250 websites to manage like me, it still prefer my CMS: I decide when to patch my code and update my clients site. I don't want to be dictated by a 'code red'. Also, my updates are 97% based on integration of new components (support for cloudbased storage, etc...) and not because of security issues.
A major factor in all this, is that I use rails: the supporting community has an immense array of helpful tools that help me with deployment, migration (new server) and maintenance.

Re:PHP

The Drupal developers could have cast the hash key to an Int, then that problem would not exist.

Re:PHP

[unrtst]

How do prepared statements handle the not uncommon situation where you want to include an "in" clause? For example:

select * from customers where city in ?citylist

This was the problem they tried to solve by dynamically creating a statement like:

select * from customers where city in (?city-1, ?city-2, ?city-3)

So, to generate the -1, -2, and -3 parts they relied upon the index of the array.

...

for which there are no good solutions with plain prepared statements.

...

Bullshit. Psuedo code cause I'm too lazy to look up the php-ism for this:
$stmt = "select * from customers where city in (".join(',', map { '?' } array_values($city_list) ).")";
$sth = $db->prepare($stmt);
$sth->ececute(array_values($city_list));

Wrapper code to aid in building the placeholder stuff should be used to account for max count of items (generally 255 of them), after which it should split it to:
( city in (?,?,?... etc ...) OR city in (?,?,? ... etc ...) )

Does that take work? yes. Is it more effort than what they're doing? no.

Re:PHP flame

[Aethedor]

What a cheap flame. And how not original. And you're wrong. SQL injections can be done with every language. To solve this, all it takes is a programmer who understands what he's doing and knows about a vulnerability that has been known for about 20 years and for which there is NO excuse for not knowing it.

It's not really hard do to it right, even in PHP. And there is a simple proof for that.

Re:PHP

[drinkypoo]

While the responsibility for this rests with Drupal, they were set up by another strange design decision of PHP: The fact that arrays are also hashtables and vice-versa. There are *tons* of these strange design decisions in PHP.

That one, at least, seems designed to copy a feature of perl, and therefore it's completely understandable...

Re: HAHAHA Little bobby tables

LOL, that's a perfect characterization. Good work! I did actually laugh.

Re:PHP

[OverlordQ]

my $sql = 'SELECT * FROM foo WHERE bar IN (' .join(',', ('?') x @array) . ')';

Totally hard.

WhiteHouse.gov

[q4Fry]

Is the White House breach a result of this bug? Inquiring minds want to know!

Re:WhiteHouse.gov

They said the White House breach used Windows 0-days, not SQL injection.

Re:PHP

[Qzukk]

XML would not be a standard SQL construct. Neither the PHP-internal mssql driver nor the microsoft PHP driver supports TVP.

The postgresql way to prepare a statement that needs to do something like "... field IN ($1) ..." is to rewrite it as an array operation "... field = ANY ( $1 ) ..." where $1 would be an array, but PHP/PDO can't properly/securely prepare this since it doesn't understand array operations. You would need to manually escape each element and create a literal array string in your code and pass that as the parameter:

pg_prepare($pg, "test", "select * from customer where id = ANY ( $1::int[] )");
pg_execute($pg, "test", array("{52,149,288}"));

Note that a varchar[] in PHP would look something like "{Smith,O'Hare,Wilkerson\\, Esq.}" so none of the normal SQL escaping functions would work properly (note that single quotes are not escaped, but commas and curly braces would be escaped).

I think postgresql arrays are slightly nonstandard (you can declare them using "datatype ARRAY[size]" but postgresql does not enforce array bounds. MySQL does not do array datatypes at all.

Not surprising, but not because it's php

All software that has drupals deployment rate has suffered security issues.

Re:PHP

Would it take rewriting the entire db interface to not used named placeholders? Yes.

Multiple queries

[MSG]

The original advisory notes that "Since Drupal uses PDO, multi-queries are allowed." I can find documentation that confirms that's true of the MySQL PDO adapter. Is that also true for PDO for other databases, or is this vulnerability specific to MySQL?

Re:Multiple queries

The class of SQL injection attack which appends an additional malicious query to a simple query won't work on Oracle, for example, because it requires that "multi-queries" (I can't recall the proper name for them in Oracle-speak) be wrapped within a BEGIN...END pair. The attack would have to find a way to prepend a BEGIN to the whole thing. I'm not aware of any way to accomplish that through injection, though I suppose other types of vulnerabilities might allow it.

- T

Re:PHP

[grcumb]

While the responsibility for this rests with Drupal, they were set up by another strange design decision of PHP: The fact that arrays are also hashtables and vice-versa. There are *tons* of these strange design decisions in PHP.

That one, at least, seems designed to copy a feature of perl, and therefore it's completely understandable...

Er, no. Where did you get that idea? Perl has distinct array and hash data types, and though Perl has a liberal approach to reading variable values ('$scalar = @array' does... interesting things, for example), there is a clear distinction between the two.

Linux should be outright banned

Anyone see that Bash Vulnerability? Or how about that SSL vulnerability? Millions of systems were compromised.

While the responsibility for this rests with unwashed Linux basement dwellers, they were set up by another strange design decision of Linux: The fact that Linux software is filled with 1000's of unnamed 0-days due to shoddy coding decisions in Linux.

Re:PHP

Frankly, if you are writing out SQL statements by hand, you probably are not qualified to comment on the relative merits of PHP to other languages.

I guess if you are programming for facebook or somebody you might hit a corner case where you need to fine-tune your ORM's SQL generation (you _are_ using an ORM, right?), but in that case you should know how to handle simple corner cases like this. For this one, you could do this:

$sql = 'SELECT * FROM tbl WHERE id IN ('. implode(', ', array_fill(0, count($user_inputs), '?')) .')';
$query = $pdo->prepare($sql);
$query->bindValues(array_values($user_inputs));

Re:PHP

[Qzukk]

(you _are_ using an ORM, right?)

Of course! I've got this one that came with my framework called Drupal.... oh wait.

For this one, you could do this:

You could, but you're throwing away the "prepared" half of "prepared statement". Totally fine if its a one-off query. Otherwise, expect your DBA to appear behind you, breathing down your neck with a red-hot poker 3 milliseconds after you put that in a loop from 1 to 10,000.

Re:PHP

MSSQL is also horribly insecure. After one of our sites at work got exploited from a 0 day, and the vulnerability STILL hasn't been patched after months, we moved EVERYTHING off of Windows server.