[documentation] PHP snippets security - the list

Mon May 8 23:03:29 UTC 2006

Dear doc team,

As promised the statistics and the links to the problematic snippets. Note
that these snippets are unpublished and may not be accessible to everyone.
This is just the list; I haven't thought much about how we should continue
with snippets. I believe they are a valuable asset to the community.

Of the PHP page snippets 35 are insecure, 42 do not contain obvious
security holes, 1 replicated existing drupal functionality.
Of the PHP block snippets 16 are insecure, 31 do not contain obvious
security holes.

On a total of 124 snippets, 41% had an 'obvious' security problem:

Potential SQL injection attacks : 2
===================================
This happens when a snippet takes user input and pastes it directly into
an SQL query. An example is snippet http://drupal.org/node/34064 where the
variable $order is taken from the URL query string &order and a few lines
below that pasted into an SQL query:

[...] ORDER BY fl.numeric_data $order LIMIT [...]

It's probably very difficult to exploit on MySQL even > 4.1, but really
easy on PostgreSQL, because contrary to mysql_query, pg_query executes
multiple queries in one pass (one transaction). We can easily insert a new
statement by closing the first with a semi-colon, then adding our new
statement and commenting out anything behind the LIMIT.

[...] ORDER BY fl.numeric_data ASC; UPDATE users SET pass=md5('newpass')
WHERE uid = 1; -- LIMIT [...]

Of course, we need to URLencode this:

Simply access the page with
node/nid&order=ASC;%20UPDATE%20users%20SET%20pass=md5(%27newpass%27)%20%20WHERE%20uid%20=%201;%20--

and we've reset the password of uid 1 to one we like.

http://www.spidynamics.com/spilabs/education/whitepapers/SQLinjection.html
contains more information.

Potential XSS vulnerability : 17
=================================
Cross site scripting occurs when you display user input data without
sanitation. This may be from the database or from query strings.

A good, high level overview on XSS can be found here
http://www.spidynamics.com/spilabs/education/whitepapers/CrossSiteScripting.html

Bypassing access permissions : 37
==================================
This occured the most and can vary from light information leakage (node
title) to entire nodes. All database queries extracting information from
node, comments and taxonomy should be passed through db_rewrite_sql. This
function ensures that only those authorized can access a node.

There were also a number of snippets that implement administrator
functionality that should ideally be enclosed in the proper user_access
checks. For example, viewing the logs; it's hard to hide such pages for
google.

(The numbers do not add up because some snippets contain a permission
bypass and a potential XSS vulnerability)

Chx wrote a small page on the three most common problems:
http://drupal.org/node/62304; this is a brand new page and could use some  
love and attention. Steven wrote a page on XSS titled 'How to handle text  
in a secure fashion' earlier. This can be found at  
http://drupal.org/node/28984

Here's a paraphrased quote from Chx's page:

So, three kind of errors you need to avoid:
- XSS with proper checking
- SQL injections with proper db_query usage
- node access bypass by utilizing db_rewrite_sql.

Regards,

Heine

PHP page snippets:

Unpublished because no db_rewrite_sql (27)
==========================================
http://drupal.org/node/39825
http://drupal.org/node/37767  (SQL also fishy)
http://drupal.org/node/55261
http://drupal.org/node/55559  not sure if this snippet is intended to be
just a one time tool for admins
http://drupal.org/node/56235
http://drupal.org/node/37421  (also XSS)
http://drupal.org/node/37427
http://drupal.org/node/31534
http://drupal.org/node/23232
http://drupal.org/node/24703
http://drupal.org/node/24703
http://drupal.org/node/36953
http://drupal.org/node/26568
http://drupal.org/node/31536
http://drupal.org/node/28626  intended for admins, but doesn't contain
user_access check
http://drupal.org/node/56987
http://drupal.org/node/55551  intended for admin, but requires
db_rewrite_sql and probably a user_access check
http://drupal.org/node/34162  (and XSS)
http://drupal.org/node/36965
http://drupal.org/node/34331  (and contains instructions how to make SQL
injection attack possible)
http://drupal.org/node/47786
http://drupal.org/node/55792  (and XSS: these ecommerce nodes are usually
  from admin, still not proper)
http://drupal.org/node/31964
http://drupal.org/node/28762
http://drupal.org/node/57541  (and XSS)
http://drupal.org/node/40122  This code is used to make drupal.orgs
handbook page
http://drupal.org/node/34064

Unpublished because of SQL injection (2)
====================================
http://drupal.org/node/34064
http://drupal.org/node/30286 register globals, variable order & Drupal <
4.7

Unpublished because of XSS (6)
==============================
http://drupal.org/node/32272
http://drupal.org/node/29246
http://drupal.org/node/25564
http://drupal.org/node/29352
http://drupal.org/node/38732
http://drupal.org/node/32631 this is a page on how to make a module in
stead of a snippet. The example is insecure

Not certain (counted as ok, still published)
===========================================================
http://drupal.org/node/17144  XSS not sure, this depends on the paypal
framework

Unpublished because no db_rewrite_sql (10)
==========================================
http://drupal.org/node/33462
http://drupal.org/node/51033  (but it's probably the intention)
http://drupal.org/node/55291  (and XSS)
http://drupal.org/node/4587
http://drupal.org/node/29722
http://drupal.org/node/22628  SQL is also not entirely kosher, but passed
is_numeric
http://drupal.org/node/7008
http://drupal.org/node/10563  perhaps intentional
http://drupal.org/node/21390  only a count
http://drupal.org/node/20152  mild

Unpublished because of XSS (6)
==============================
http://drupal.org/node/57027
http://drupal.org/node/52996  aggregator not sure if XSS would pass
xml_parser though
http://drupal.org/node/17272
http://drupal.org/node/20165
http://drupal.org/node/45164
http://drupal.org/node/17450