Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

← Back to Stories (view on slashdot.org)

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

Posted by timothy on Thursday October 30, 2014 @02:50AM from the big-targets-get-hit-first dept.

Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

35 of 76 comments (clear)

Min score:

Reason:

Sort:

Actual irony? by TWX · 2014-10-30 02:53 · Score: 5, Funny

SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks
Would this be actual irony, as opposed to Alanis Morrissette irony?

--
Do not look into laser with remaining eye.
1. Re:Actual irony? by Anonymous Coward · 2014-10-30 03:06 · Score: 1
  
  This would be actual irony.
2. Re:Actual irony? by Jaime2 · 2014-10-30 03:27 · Score: 1
  
  Not only is it ironic, it's a good thing. If people use this module, then they are a single patch away from fixing every occurrence of this bug. If they don't use this module, then they have to find all of their code that is similarly flawed and fix each instance individually. It's not like doing a database lookup with an IN is a rare thing; roll-your-own implementations are likely to be broken too.
3. Re:Actual irony? by bill_mcgonigle · 2014-10-30 03:40 · Score: 3, Funny
  
  Would this be actual irony, as opposed to Alanis Morrissette irony?
  That a song with that name contains no actual examples of irony is ______.
  This message brought to you by Deep Metathinking and the Number 12.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Actual irony? by unrtst · 2014-10-30 04:06 · Score: 2
  
  ... roll-your-own implementations are likely to be broken too.
  As far as I can tell, this module uses custom placeholders in queries, and then replaces those with the user supplied values, building a string that can be passed to the DB as SQL without database placeholders. IE. it's not building something like:
  $db->prepare("SELECT name FROM table WHERE something IN (?,?,?)")
  $db->execute( @parameters );
  It's building something like:
  $db->prepare("SELECT name FROM table WHERE something IN ($param[0], $param[1], $param[2])")
  That's always more risky. DB placeholders are not a silver bullet, but they're damn close. /disclaimer, I didn't thoroughly audit the code, so maybe it is somehow using db placeholders, but the method in question doesn't look like it is.
  See line 739 here: http://cgit.drupalcode.org/dru...
  Patch for users that don't want to do a full upgrade and are on 7.0 - 7.31: https://www.drupal.org/files/i...
5. Re:Actual irony? by TWX · 2014-10-30 04:07 · Score: 1
  
  Rain on a wedding day isn't ironic, as rain could happen on any calendar day of the year in most climates. It may be statistically more or less likely in given seasons, but it's not impossible on the surface of it.
  
  A woman meeting the man of her dreams, and his wife is definitely not ironic, as it's very likely that many women admire the same qualities in men. That becomes a matter of who met whom in what order, and the wife happened to get there first while presenting the qualities that he admired.
  
  The comment on cutlery isn't ironic, because there's no context to set it up as irony. It's simply a matter of having one incorrect thing in abundance, and not having the one correct thing.
  
  I'm sure that others have gone through all of the statements from the song, so I'll stop there.
  
  --
  Do not look into laser with remaining eye.
6. Re:Actual irony? by carrier+lost · 2014-10-30 04:16 · Score: 2
  
  Rain on a wedding day isn't ironic...
  Agreed.
  Irony is rain on the wedding day of a couple of meterologists.
  I may be wrong, but I think that coincidence is 2-factor, irony is 3-factor
  
  --
  XKCD:Xeric Knowledge Comically Dispen
7. Re:Actual irony? by Jaime2 · 2014-10-30 05:08 · Score: 1
  
  Yeah, they screwed up the implementation. But at least they provide a consistent way to pass a list-type argument to a database command. Once the implementation is hardened, everyone who uses it will be a little more secure.
8. Re:Actual irony? by sootman · 2014-10-30 05:15 · Score: 1
  
  "It's like SQL injectiooooooon, on a module that's designed specifically to help prevent SQL injection attaaaaaaaaaaacks"
  It practically writes itself!
  
  --
  Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
9. Re:Actual irony? by ls671 · 2014-10-30 08:29 · Score: 1
  
  All we have to do is make the algorithm recursive so it fixes sql injection problems in its own code. Simple.
  
  --
  Everything I write is lies, read between the lines.
10. Re:Actual irony? by carrier+lost · 2014-10-31 00:18 · Score: 1
  
  I believe that's just sad coincidence, it's missing a third factor.
  It would be ironic if she were dropped off the ladder AND her family owned the ladder factory.
  Irony be tricky.
  
  --
  XKCD:Xeric Knowledge Comically Dispen
What about Drupal 6? by joelsherrill · 2014-10-30 03:14 · Score: 2

The story only mentions Drupal 7. Is Drupal 6 or 8 impacted?
1. Re:What about Drupal 6? by yelvington · 2014-10-30 03:21 · Score: 2
  
  Drupal 6 does not use the affected abstraction layer.
2. Re:What about Drupal 6? by MightyMartian · 2014-10-30 03:31 · Score: 2
  
  Gods save us from poorly-designed abstraction layers designed to do things "better".
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
3. Re:What about Drupal 6? by meustrus · 2014-10-30 03:53 · Score: 2
  
  Does not affect Drupal 6. Not sure about Drupal 8, but if you're concerned about the security of your website run on beta releases you're doing it wrong.
  
  --
  I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
4. Re:What about Drupal 6? by Lunix+Nutcase · 2014-10-30 07:27 · Score: 1
  
  Notice they said "poorly-designed abstraction layers" not "all abstraction layers." Oh and FYI, assembly langauge mnemonics are an abstraction layer so your comeback fails even more.
Re:PHP by benjymouse · 2014-10-30 03:15 · Score: 5, Interesting

How do prepared statements handle the not uncommon situation where you want to include an "in" clause? For example:
select * from customers where city in ?citylist
This was the problem they tried to solve by dynamically creating a statement like:
select * from customers where city in (?city-1, ?city-2, ?city-3)
So, to generate the -1, -2, and -3 parts they relied upon the index of the array.
Only in PHP an array will turn around and bite you with it's dual personality as a hash table. A hash table where one key was not "-1" but rathersomething like (pseudo):
-1); drop table students; --
You cannot really fault the Drupal developers for trying to support this commonly occurring pattern, for which there are no good solutions with plain prepared statements. After all, if they could write secure code for a common problem that could prevent less experienced developers for falling back to error-prone and insecure string interpolation.
Don't get me wrong: The drupal developers is at fault. But they were set up by the criminally insecure PHP.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Re:PHP by Jaime2 · 2014-10-30 03:23 · Score: 2

Microsoft SQL Server has both an XML data type and a table-valued parameter that can be used to pass an arbitrarily long list of values in a single parameter. Does MySQL not have an equivalent, or maybe it does and PHP doesn't support them?
At this surprises who? by Mysticalfruit · 2014-10-30 03:32 · Score: 4, Insightful

I'm surprised it took this long! While not a PHP programmer, I've looked at some bits of the code and it's a bloody mess.

php should get a new motto: "Please Hijack our Platform"

--
Yes Francis, the world has gone crazy.
1. Re:At this surprises who? by Aethedor · 2014-10-30 06:07 · Score: 1
  
  PHP done right. I challenge you to find a security leak.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
2. Re:At this surprises who? by Anonymous Coward · 2014-10-30 06:17 · Score: 1
  
  We get it. You're not a noob PHP "developer". You're one of those cool dudes who uses a real man's language and get's all the girls! ( and get's modded insightful for it )
  I do both php and python, and while I prefer Python, there is nothing out there written in Python ( or any language, to my knowledge ) that comes close to being as efficient as Drupal in terms of time spent getting to launch. And yes that includes Django, which IMO is really only useful for low level APIs. It offers no tools for efficient UX design, and forces you to do boiler plate html and js coding.
  Admittedly, I'm not a purist. I'm surprised so many of you are. Your language of choice seems to be a huge part of how you define your identities, as evidenced by how you can never resist the urge to elevate yourselves by again proclaiming your hatred of PHP. I just don't get that. To me that's as ridiculous as hating the fans of a different sports team from your favorite one. Actually more so.
  For me, having satisfied and happy users and making money is far more important to me than my code resembling poetry or what language it's written in ( your end users don't care either ), so I refuse to be anything other than completely pragmatic about the tools I use.
  Also, Zuckerberg used PHP, and I bet you all consider yourselves better devs than him.
Re:HAHAHA Little bobby tables by meustrus · 2014-10-30 03:51 · Score: 2

Tip to moderators: There is no mod category "Sad". The best response is to ignore it, because then those who can recognize a completely unmoderated post will appreciate the metahumor.

--
I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
Valuable lesson learned by NaughtyNimitz · 2014-10-30 04:01 · Score: 2

I did some websites in Drupal, but now I am steering clear of Drupal and the likes (Wordpress,...)
Now 100% of my projects are in my custom CMS where obfuscation is the rule.
1. Re:Valuable lesson learned by drinkypoo · 2014-10-30 04:25 · Score: 2
  
  Now 100% of my projects are in my custom CMS where obfuscation is the rule.
  So now instead of many eyes on your CMS, there are only yours? People who keep up with their updates don't really have to worry about this. I used to check my site status page daily, but I noticed that I get notified of all the major Drupal patches by Slashdot, which is handy.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Valuable lesson learned by Anonymous Coward · 2014-10-30 05:30 · Score: 1
  
  That's nonsense. Go look at what eventually happened to HB Gary Federal and how all that started, (by using a custom CMS).
  Your best bet is to pay close attention to security releases, and be thankful the for the Drupal Security Team which is on top of these issues. For more clarity, read these:
  https://www.previousnext.com.au/blog/drupal-732-critical-update-our-response
  https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-injection-announcement
  Seriously, compared to the Drupal Security Team which I know about, what other CMS' have such thorough teams and processes? Use Drupal and the same folks that look after the websites for the US Congress, the White House, and many other government websites become your Security Team, for free. Just learn to do your part properly.
3. Re:Valuable lesson learned by NaughtyNimitz · 2014-11-01 12:06 · Score: 1
  
  Well, if you have 250 websites to manage like me, it still prefer my CMS: I decide when to patch my code and update my clients site. I don't want to be dictated by a 'code red'. Also, my updates are 97% based on integration of new components (support for cloudbased storage, etc...) and not because of security issues.
  A major factor in all this, is that I use rails: the supporting community has an immense array of helpful tools that help me with deployment, migration (new server) and maintenance.
Re:PHP by unrtst · 2014-10-30 04:15 · Score: 2

How do prepared statements handle the not uncommon situation where you want to include an "in" clause? For example:
select * from customers where city in ?citylist
This was the problem they tried to solve by dynamically creating a statement like:
select * from customers where city in (?city-1, ?city-2, ?city-3)
So, to generate the -1, -2, and -3 parts they relied upon the index of the array.
...
for which there are no good solutions with plain prepared statements.
...
Bullshit. Psuedo code cause I'm too lazy to look up the php-ism for this:
$stmt = "select * from customers where city in (".join(',', map { '?' } array_values($city_list) ).")"; $sth = $db->prepare($stmt); $sth->ececute(array_values($city_list));
Wrapper code to aid in building the placeholder stuff should be used to account for max count of items (generally 255 of them), after which it should split it to:
( city in (?,?,?... etc ...) OR city in (?,?,? ... etc ...) )
Does that take work? yes. Is it more effort than what they're doing? no.
Re:PHP flame by Aethedor · 2014-10-30 04:19 · Score: 1

What a cheap flame. And how not original. And you're wrong. SQL injections can be done with every language. To solve this, all it takes is a programmer who understands what he's doing and knows about a vulnerability that has been known for about 20 years and for which there is NO excuse for not knowing it.
It's not really hard do to it right, even in PHP. And there is a simple proof for that.

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
Re:php sucks by drinkypoo · 2014-10-30 04:38 · Score: 1

Javascript sucks. Perl is perfect!
If only mod_perl weren't such a motherbitch, perl would be perfect.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:PHP by OverlordQ · 2014-10-30 05:09 · Score: 1

my $sql = 'SELECT * FROM foo WHERE bar IN (' .join(',', ('?') x @array) . ')';
Totally hard.

--
Your hair look like poop, Bob! - Wanker.
WhiteHouse.gov by q4Fry · 2014-10-30 05:24 · Score: 3, Insightful

Is the White House breach a result of this bug? Inquiring minds want to know!
Re:PHP by Qzukk · 2014-10-30 05:24 · Score: 3, Informative

XML would not be a standard SQL construct. Neither the PHP-internal mssql driver nor the microsoft PHP driver supports TVP.
The postgresql way to prepare a statement that needs to do something like "... field IN ($1) ..." is to rewrite it as an array operation "... field = ANY ( $1 ) ..." where $1 would be an array, but PHP/PDO can't properly/securely prepare this since it doesn't understand array operations. You would need to manually escape each element and create a literal array string in your code and pass that as the parameter:

pg_prepare($pg, "test", "select * from customer where id = ANY ( $1::int[] )"); pg_execute($pg, "test", array("{52,149,288}"));

Note that a varchar[] in PHP would look something like "{Smith,O'Hare,Wilkerson\\, Esq.}" so none of the normal SQL escaping functions would work properly (note that single quotes are not escaped, but commas and curly braces would be escaped).
I think postgresql arrays are slightly nonstandard (you can declare them using "datatype ARRAY[size]" but postgresql does not enforce array bounds. MySQL does not do array datatypes at all.

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
Multiple queries by MSG · 2014-10-30 07:25 · Score: 1

The original advisory notes that "Since Drupal uses PDO, multi-queries are allowed." I can find documentation that confirms that's true of the MySQL PDO adapter. Is that also true for PDO for other databases, or is this vulnerability specific to MySQL?
Re:PHP by grcumb · 2014-10-30 09:56 · Score: 1

While the responsibility for this rests with Drupal, they were set up by another strange design decision of PHP: The fact that arrays are also hashtables and vice-versa. There are *tons* of these strange design decisions in PHP.
That one, at least, seems designed to copy a feature of perl, and therefore it's completely understandable...
Er, no. Where did you get that idea? Perl has distinct array and hash data types, and though Perl has a liberal approach to reading variable values ('$scalar = @array' does... interesting things, for example), there is a clear distinction between the two.

--
Crumb's Corollary: Never bring a knife to a bun fight.
Re:PHP by Qzukk · 2014-10-30 13:54 · Score: 1

(you _are_ using an ORM, right?)
Of course! I've got this one that came with my framework called Drupal.... oh wait.
For this one, you could do this:
You could, but you're throwing away the "prepared" half of "prepared statement". Totally fine if its a one-off query. Otherwise, expect your DBA to appear behind you, breathing down your neck with a red-hot poker 3 milliseconds after you put that in a loop from 1 to 10,000.

--
If I have been able to see further than others, it is because I bought a pair of binoculars.