Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2014-11-01 21:19:41

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,373

Drupal woes

It looks like there’s a sequel to WordPress woes:

Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.

- reported on the BBC and elsewhere, acknowledged by Drupal

Offline

#2 2014-11-13 14:30:52

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: Drupal woes

hackertarget.com/28-days-after-drupal-exploit/

From that article:

The easiest way to determine the exact version of a Drupal powered site is to examine the CHANGELOG.txt file in the root of the site. This is a file that can be removed to make fingerprinting the exact version of the site more difficult. An Nmap NSE script was customised for this purpose and used this method to determine the version.
5630 out of the full 10’000 had the CHANGELOG.txt file in place enabling the exact version detection to take place. Of these I separated Drupal 6 and Drupal 7 installs to determine the percentage of Drupal 7 installs that have been patched.
The bar graph pictured in the graphic show the totals found for each of the categories, these are the total sites within the 5630 that were successfully fingerprinted.

56% of surveyed Drupal sites had a readily-accessible way of determining the version number. That’s frightening.

Last edited by gaekwad (2014-11-13 14:59:22)

Offline

#3 2014-11-13 21:31:58

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,726
Website

Re: Drupal woes

I saw that too, but we should be careful about pointing fingers…

If I’m not mistaken, you can find out the version of more or less every textpattern installation by either calling up /textpattern and looking at the page source, or looking at the generator xml tag in the rss feed.

One of the criticisms levelled at drupal was that it doesn’t have an automatic updating mechanism. Txp doesn’t either…

EDIT: Apologies, I’m wrong. It’s not visible in all versions of the backend but is in the rss.

Last edited by jakob (2014-11-13 21:59:25)


TXP Builders – finely-crafted code, design and txp

Offline

#4 2014-11-13 22:44:10

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,448
Website GitHub

Re: Drupal woes

jakob wrote #285726:

you can find out the version of more or less every textpattern installation

Exactly. Even if the version isn’t given away in extraneous readable files like readme / changelog / license / checksum files or RSS feeds, you can visually compare the login screen or compare some facet of the publicly accessible back-end source code with the output of a particular page from those in the Github repo to make an educated guess, if not an identical match, at the version.

Hiding or not uploading files is an OK method to keep the amateurs out, but it doesn’t stop anyone else.

That said, there’s a case to be made for either advising people not to upload extraneous info files like README, HISTORY.txt, and the license files at all, or to remove them after installation. I always omit them (saves space too).

We should probably add a check in Diagnostics to highlight the fact these files are still present, the same as we do with the setup folder. Or just extend .htaccess as a courtesy such that the leaky files are inaccessible.

That leaves 1) the checksums, 2) the RSS feed, and 3) the login screen as the weak links. Can’t do anything about (3). The checksums could arguably go in the database and the version number removed from the RSS feed. It wouldn’t stop anyone from making a (very educated) guess, but it would reduce the attack surface for script kiddies.

Worth it? And if so, which method(s) would be best? Pull requests welcome, as ever.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#5 2014-11-13 22:56:13

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,373

Re: Drupal woes

I’ve been in contact with the Devs regarding this & the rest of the conversation should probably best be kept offline for the moment.

Edit: … and then I saw Bloke’s post!

Last edited by gomedia (2014-11-13 22:56:53)

Offline

#6 2014-11-13 22:57:47

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: Drupal woes

Bloke wrote #285727:

Worth it?

I don’t think so, and I can explain why ;)

Just about everybody of the regulars here will have noticed quite a few web server log entries which indicate that someone tried to log into an inexistent instance of Joomla, WordPress, phpBB and a dozen other scripts, ignoring the fact that the target script is not present at all.

Most of these tentative exploits stem from automated bots. They do not care about efficiency, the care about throughput.

And I suppose that they have more throughput from one failing request to an inexistent exploitable page with a 404 response than two requests to that existent checksums.txt plus a subsequent exploit attempt with a 200 response.

Thus it’s their tactic to rather shoot blindly and frequently than save their ammunition for a proper prey.

Offline

#7 2014-11-13 23:03:21

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,448
Website GitHub

Re: Drupal woes

@wet: sage words.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#8 2014-11-13 23:12:37

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,726
Website

Re: Drupal woes

With the README, I’m in two minds. Obviously, if it presents a risk, it’s not a good idea.

Otherwise, I think it’s polite practice to leave the client or a potential later user with an orderly setup and some guidance. It bugs me, for example, when I take over a site from someone else and see that the credits have been discourteously stripped out of all js-files during minifying and I then have to start researching where they came from. By the same token, I document any changes I make to the txp source files (I know, I know, I shouldn’t!), both for myself when I come to revisit the site at a later date, as well as for anyone who may step into my shoes later.


TXP Builders – finely-crafted code, design and txp

Offline

#9 2014-11-13 23:21:19

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,448
Website GitHub

Re: Drupal woes

jakob wrote #285731:

I think it’s polite practice to leave the client or a potential later user with an orderly setup

Sure. So a simple rule or two in .htaccess to disallow reading of .txt files in the root folder would protect that right to leave documentation around for FTP users, while casual surfers can’t see it. Though ironically, the fact that Txp would then throw a 403 would leak the version number… at least of the first release to include such counter-measures ;-)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#10 2014-11-14 07:17:27

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: Drupal woes

For completeness, my point wasn’t anti-Drupal. There’s no CMS politics going on here, absolutely not. I work with Drupal and, while I don’t have it as my preferred choice of CMS, I don’t bad-mouth it. There is no finger-pointing. If there is, it’s at administrators of top-10,000 websites that don’t have the sense to remove the PLEASE BREAK IN HERE ARE THE KEYS.txt details for their websites, whatever the CMS is.

Second, there’s this: forum.textpattern.com/viewtopic.php?id=41093 – I have been caught out in the past and have the burden of this to carry around. It’s a bugbear of mine, sadly.

Offline

#11 2014-11-14 07:50:27

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,726
Website

Re: Drupal woes

Yes, of course, Pete. Actually, I was thinking of myself when I wrote that because I very nearly started a “There goes another CMS with security problems …” thread when the BBC article came out, and then, erm, thought better of it. Adi did it later in a much more neutral way.


TXP Builders – finely-crafted code, design and txp

Offline

#12 2014-11-14 10:38:53

trenc
Plugin Author
From: ⛵️, currently Göteborg, SE
Registered: 2008-02-27
Posts: 574
Website GitHub

Re: Drupal woes

Robert is right.

A README or any other file does not enhance security by simply removing it. Security by obscurity is never a valid security feature.


Digital nomad, sailing the world on a sailboat: 32fthome.com

Offline

Board footer

Powered by FluxBB