Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2014-11-01 21:19:41
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Drupal woes
It looks like there’s a sequel to WordPress woes:
Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.
- reported on the BBC and elsewhere, acknowledged by Drupal
Offline
Re: Drupal woes
hackertarget.com/28-days-after-drupal-exploit/
From that article:
The easiest way to determine the exact version of a Drupal powered site is to examine the CHANGELOG.txt file in the root of the site. This is a file that can be removed to make fingerprinting the exact version of the site more difficult. An Nmap NSE script was customised for this purpose and used this method to determine the version.
5630 out of the full 10’000 had the CHANGELOG.txt file in place enabling the exact version detection to take place. Of these I separated Drupal 6 and Drupal 7 installs to determine the percentage of Drupal 7 installs that have been patched.
The bar graph pictured in the graphic show the totals found for each of the categories, these are the total sites within the 5630 that were successfully fingerprinted.
56% of surveyed Drupal sites had a readily-accessible way of determining the version number. That’s frightening.
Last edited by gaekwad (2014-11-13 14:59:22)
Offline
Re: Drupal woes
I saw that too, but we should be careful about pointing fingers…
If I’m not mistaken, you can find out the version of more or less every textpattern installation by either calling up /textpattern and looking at the page source, or looking at the generator xml tag in the rss feed.
One of the criticisms levelled at drupal was that it doesn’t have an automatic updating mechanism. Txp doesn’t either…
EDIT: Apologies, I’m wrong. It’s not visible in all versions of the backend but is in the rss.
Last edited by jakob (2014-11-13 21:59:25)
TXP Builders – finely-crafted code, design and txp
Offline
Re: Drupal woes
jakob wrote #285726:
you can find out the version of more or less every textpattern installation
Exactly. Even if the version isn’t given away in extraneous readable files like readme / changelog / license / checksum files or RSS feeds, you can visually compare the login screen or compare some facet of the publicly accessible back-end source code with the output of a particular page from those in the Github repo to make an educated guess, if not an identical match, at the version.
Hiding or not uploading files is an OK method to keep the amateurs out, but it doesn’t stop anyone else.
That said, there’s a case to be made for either advising people not to upload extraneous info files like README, HISTORY.txt, and the license files at all, or to remove them after installation. I always omit them (saves space too).
We should probably add a check in Diagnostics to highlight the fact these files are still present, the same as we do with the setup folder. Or just extend .htaccess as a courtesy such that the leaky files are inaccessible.
That leaves 1) the checksums, 2) the RSS feed, and 3) the login screen as the weak links. Can’t do anything about (3). The checksums could arguably go in the database and the version number removed from the RSS feed. It wouldn’t stop anyone from making a (very educated) guess, but it would reduce the attack surface for script kiddies.
Worth it? And if so, which method(s) would be best? Pull requests welcome, as ever.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#5 2014-11-13 22:56:13
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: Drupal woes
I’ve been in contact with the Devs regarding this & the rest of the conversation should probably best be kept offline for the moment.
Edit: … and then I saw Bloke’s post!
Last edited by gomedia (2014-11-13 22:56:53)
Offline
Re: Drupal woes
Bloke wrote #285727:
Worth it?
I don’t think so, and I can explain why ;)
Just about everybody of the regulars here will have noticed quite a few web server log entries which indicate that someone tried to log into an inexistent instance of Joomla, WordPress, phpBB and a dozen other scripts, ignoring the fact that the target script is not present at all.
Most of these tentative exploits stem from automated bots. They do not care about efficiency, the care about throughput.
And I suppose that they have more throughput from one failing request to an inexistent exploitable page with a 404 response than two requests to that existent checksums.txt plus a subsequent exploit attempt with a 200 response.
Thus it’s their tactic to rather shoot blindly and frequently than save their ammunition for a proper prey.
Offline
Re: Drupal woes
@wet: sage words.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Drupal woes
With the README, I’m in two minds. Obviously, if it presents a risk, it’s not a good idea.
Otherwise, I think it’s polite practice to leave the client or a potential later user with an orderly setup and some guidance. It bugs me, for example, when I take over a site from someone else and see that the credits have been discourteously stripped out of all js-files during minifying and I then have to start researching where they came from. By the same token, I document any changes I make to the txp source files (I know, I know, I shouldn’t!), both for myself when I come to revisit the site at a later date, as well as for anyone who may step into my shoes later.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Drupal woes
jakob wrote #285731:
I think it’s polite practice to leave the client or a potential later user with an orderly setup
Sure. So a simple rule or two in .htaccess to disallow reading of .txt files in the root folder would protect that right to leave documentation around for FTP users, while casual surfers can’t see it. Though ironically, the fact that Txp would then throw a 403 would leak the version number… at least of the first release to include such counter-measures ;-)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Drupal woes
For completeness, my point wasn’t anti-Drupal. There’s no CMS politics going on here, absolutely not. I work with Drupal and, while I don’t have it as my preferred choice of CMS, I don’t bad-mouth it. There is no finger-pointing. If there is, it’s at administrators of top-10,000 websites that don’t have the sense to remove the PLEASE BREAK IN HERE ARE THE KEYS.txt details for their websites, whatever the CMS is.
Second, there’s this: forum.textpattern.com/viewtopic.php?id=41093 – I have been caught out in the past and have the burden of this to carry around. It’s a bugbear of mine, sadly.
Offline
Re: Drupal woes
Yes, of course, Pete. Actually, I was thinking of myself when I wrote that because I very nearly started a “There goes another CMS with security problems …” thread when the BBC article came out, and then, erm, thought better of it. Adi did it later in a much more neutral way.
TXP Builders – finely-crafted code, design and txp
Offline
Offline