With regards to web application security and software development I know quite well what I am talking about. With regards to Drupal, I am not as concerned with the severity of specific vulnerabilities discovered thusfar, I am showing that their nature and quantity are indicators of an underlying failure in the software development methodology.
I really think Drupal will be the next Nuke. The XML-RPC thing isn't really their fault, it's a problem with a third-party library.
OK, geez, this is absurd. This software is crap. I was looking in google for the url to the "gain admin at signup" vulnerability (which I saw in Bugtraq in the last week or two and was the one I was originally refering to, not the XML-RPC one) and I came across another vulnerability at http://packetstorm.linuxsecurity.com/0506-advisori es/DRUPAL-SA-2005-002.txt which is also less than two weeks old which is basically "execute arbitrary code on remote system when comments are enabled". See what I mean? It's going to be one after another after another after another...
But the security aspects of software can't afford to evolve over time. They need to be in place from day one. Drupal is not like sendmail, bind, or any of those other crufty ancient programs that can be excused for their myriad of security vulnerabilities over the years. Drupal is recent and, as an open source user and developer myself, it bothers me to see software that is still developed with security as an afterthought or bolted-on process. I do not have an alternative CMS suggestion, however, I hope that if someone does think of developing one, that they will consider security from day one. Because, unfortunately, I've seen this pattern before in other software - it's just going to be exploit after exploit after exploit.
I can't be any clearer at pointing out the fundamental flaw. It's like the recent Cardservice breach that resulted in the theft of as many as 40 million credit card numbers. Best practice is "don't store the credit card numbers". but that's exactly what Cardservices ignored (or was oblivious to), and then someone hacked in and was able to retrieve the account information. In the case of a web application, best practice is to develop a core set of methods for safely accessing input. That's exactly what did not happen in Drupal. Look at one of the patches from June:
- $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_out put($edit['comment'], $edit['format']))), 29, TRUE); +// Note: format is checked by check_output(). + $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_out put($edit['comment'], $edit['format'], TRUE))), 29, TRUE);
What the hell kind of base input checking code is that? Imagine the situation where someone accidentally leaves out one of those 5-deep functions or screws up the perens and puts the TRUE with the wrong function and one or more sites get compromised as a result. Sure looks like what happened up there - someone forgot a TRUE in the middle of that mess. There is no excuse as to why the single most important thing in securing a web application should require a function call chain that looks like that.
The vulnerability speaks for itself. Failure to validate input (which is #1 exploit cause on OWASP Top Ten list) results in the ability to gain admin rights at signup. How many other code paths in Drupal are there where input sanitization was not performed? That type of validation should be at the heart of all input processing, the vulnerability shows that this is not the case.
My sarcasm was directed at the idea of an exploit of this magnitude being found in recently-written software, as in "is this really something we would find in software in 2005". Only poorly-written code would have that serious of a priviledge escalation vulnerability found this far past the point when that class of vulnerabilities were at their peak.
June 29th, 2005, right? A circa-2000 security issue (priviledge elevation due to inadequate input sanitization) that resulted in full admin access to any remote user was resolved in Drupal less than 30 days ago? Well, I feel much better now, let me reinstall it!
It's also known for its recent priviledge escalation vulnerability,a turn-of-the-century sounding "gain admin at signup" issue which would probably lead most sane people to disregard Drupal as a contender for any serious use.
I don't think that Joe Average is going to give a shit about the new features, personally... I think Joe Average views the computer as an irritating device that unreliably provides interesting functionality.
Trent Reznor hasn't challenged anything, instead, he's jumped on the bandwagon. Bands, including ones on major labels too, have been distrubuting remix packs for years now. Just because Reznor is using Garageband and prior artists used Acid packs, that doesn't make Reznor's offering any more "open to the common user". You could even argue the opposite.
From what I understand, the original ones are architectural monstrosities that were pushed on the citizens by the arrogant Port Authority. The reaction to their original construction was not "wow, that's neat", it was "WTF are those big ugly things?". I think that is why there isn't much desire to rebuild them.
Exactly. Walmart's prices are not lower than competing stores in an ever-increasing number of cases. Walmart really can't get any additional market share (everyone shops there) so one of their few options for revenue growth is to increase prices.
Toys-R-Us's issues are an excellent example of Walmart's predatory practices. Walmart told major toy manufacturers that if they wanted their products on Walmart shelves, they'd have to make it very hard for Toys-R-Us to get product from them.
Slashdot Mirror
With regards to web application security and software development I know quite well what I am talking about. With regards to Drupal, I am not as concerned with the severity of specific vulnerabilities discovered thusfar, I am showing that their nature and quantity are indicators of an underlying failure in the software development methodology.
I really think Drupal will be the next Nuke. The XML-RPC thing isn't really their fault, it's a problem with a third-party library.
OK, geez, this is absurd. This software is crap. I was looking in google for the url to the "gain admin at signup" vulnerability (which I saw in Bugtraq in the last week or two and was the one I was originally refering to, not the XML-RPC one) and I came across another vulnerability at http://packetstorm.linuxsecurity.com/0506-advisor
But the security aspects of software can't afford to evolve over time. They need to be in place from day one. Drupal is not like sendmail, bind, or any of those other crufty ancient programs that can be excused for their myriad of security vulnerabilities over the years. Drupal is recent and, as an open source user and developer myself, it bothers me to see software that is still developed with security as an afterthought or bolted-on process. I do not have an alternative CMS suggestion, however, I hope that if someone does think of developing one, that they will consider security from day one. Because, unfortunately, I've seen this pattern before in other software - it's just going to be exploit after exploit after exploit.
I can't be any clearer at pointing out the fundamental flaw. It's like the recent Cardservice breach that resulted in the theft of as many as 40 million credit card numbers. Best practice is "don't store the credit card numbers". but that's exactly what Cardservices ignored (or was oblivious to), and then someone hacked in and was able to retrieve the account information. In the case of a web application, best practice is to develop a core set of methods for safely accessing input. That's exactly what did not happen in Drupal. Look at one of the patches from June:
t put($edit['comment'], $edit['format']))), 29, TRUE); // Note: format is checked by check_output().t put($edit['comment'], $edit['format'], TRUE))), 29, TRUE);
- $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_ou
+
+ $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_ou
What the hell kind of base input checking code is that? Imagine the situation where someone accidentally leaves out one of those 5-deep functions or screws up the perens and puts the TRUE with the wrong function and one or more sites get compromised as a result. Sure looks like what happened up there - someone forgot a TRUE in the middle of that mess. There is no excuse as to why the single most important thing in securing a web application should require a function call chain that looks like that.
The vulnerability speaks for itself. Failure to validate input (which is #1 exploit cause on OWASP Top Ten list) results in the ability to gain admin rights at signup. How many other code paths in Drupal are there where input sanitization was not performed? That type of validation should be at the heart of all input processing, the vulnerability shows that this is not the case.
My sarcasm was directed at the idea of an exploit of this magnitude being found in recently-written software, as in "is this really something we would find in software in 2005". Only poorly-written code would have that serious of a priviledge escalation vulnerability found this far past the point when that class of vulnerabilities were at their peak.
June 29th, 2005, right? A circa-2000 security issue (priviledge elevation due to inadequate input sanitization) that resulted in full admin access to any remote user was resolved in Drupal less than 30 days ago? Well, I feel much better now, let me reinstall it!
It's also known for its recent priviledge escalation vulnerability,a turn-of-the-century sounding "gain admin at signup" issue which would probably lead most sane people to disregard Drupal as a contender for any serious use.
I don't think that Joe Average is going to give a shit about the new features, personally... I think Joe Average views the computer as an irritating device that unreliably provides interesting functionality.
Bloglines is crap, use Bl0x0r! It only supports Firefox and Mozilla, though, because it's a XUL app.
I don't know if the fans are DC. The 12 volt muffin fans I use for cooling audio equipment, fans which originally came from computer racks, are AC.
That's not a fan, it's a Chest Hair Mower and it broke while the guy in the picture was trying to use it.
You'd run them in series groups of 10 or 20 at line voltage (120 or 240, depending on where you live).
The submitter probably holds transmeta short and will make a killing when the market opens this morning.
CMU researchers rediscover CB radio.
They exist and they makes sense, the intent is to prevent use of extension cords by providing adequate receptacle coverage.
Damn, true...
Building codes in many areas require a receptacle every X feet.
Because it's a count of units shipped and not units sold?
Trent Reznor hasn't challenged anything, instead, he's jumped on the bandwagon. Bands, including ones on major labels too, have been distrubuting remix packs for years now. Just because Reznor is using Garageband and prior artists used Acid packs, that doesn't make Reznor's offering any more "open to the common user". You could even argue the opposite.
Sucks to your ass burger!
From what I understand, the original ones are architectural monstrosities that were pushed on the citizens by the arrogant Port Authority. The reaction to their original construction was not "wow, that's neat", it was "WTF are those big ugly things?". I think that is why there isn't much desire to rebuild them.
>Oh, did I mentioned that me, and everyone else at the company carry Glock 19's?
You guys moonlight as rappers?
Exactly. Walmart's prices are not lower than competing stores in an ever-increasing number of cases. Walmart really can't get any additional market share (everyone shops there) so one of their few options for revenue growth is to increase prices.
Toys-R-Us's issues are an excellent example of Walmart's predatory practices. Walmart told major toy manufacturers that if they wanted their products on Walmart shelves, they'd have to make it very hard for Toys-R-Us to get product from them.