[documentation] PHP snippets security - the list

Sami Khan sami at etopian.net
Mon May 8 23:39:58 UTC 2006 

Hi Guys,

How can I get to these? Who do I have to ask for permission?

Best Regards,
Sami Khan

> Dear doc team,
>
> As promised the statistics and the links to the problematic snippets. Note
> that these snippets are unpublished and may not be accessible to everyone.
> This is just the list; I haven't thought much about how we should continue
> with snippets. I believe they are a valuable asset to the community.
>
> Of the PHP page snippets 35 are insecure, 42 do not contain obvious
> security holes, 1 replicated existing drupal functionality.
> Of the PHP block snippets 16 are insecure, 31 do not contain obvious
> security holes.
>
> On a total of 124 snippets, 41% had an 'obvious' security problem:
>
> Potential SQL injection attacks : 2
> ===================================
> This happens when a snippet takes user input and pastes it directly into
> an SQL query. An example is snippet http://drupal.org/node/34064 where the
> variable $order is taken from the URL query string &order and a few lines
> below that pasted into an SQL query:
>
> [...] ORDER BY fl.numeric_data $order LIMIT [...]
>
> It's probably very difficult to exploit on MySQL even > 4.1, but really
> easy on PostgreSQL, because contrary to mysql_query, pg_query executes
> multiple queries in one pass (one transaction). We can easily insert a new
> statement by closing the first with a semi-colon, then adding our new
> statement and commenting out anything behind the LIMIT.
>
> [...] ORDER BY fl.numeric_data ASC; UPDATE users SET pass=md5('newpass')
> WHERE uid = 1; -- LIMIT [...]
>
> Of course, we need to URLencode this:
>
> Simply access the page with
> node/nid&order=ASC;%20UPDATE%20users%20SET%20pass=md5(%27newpass%27)%20%20WHERE%20uid%20=%201;%20--
>
> and we've reset the password of uid 1 to one we like.
>
> http://www.spidynamics.com/spilabs/education/whitepapers/SQLinjection.html
> contains more information.
>
> Potential XSS vulnerability : 17
> =================================
> Cross site scripting occurs when you display user input data without
> sanitation. This may be from the database or from query strings.
>
> A good, high level overview on XSS can be found here
> http://www.spidynamics.com/spilabs/education/whitepapers/CrossSiteScripting.html
>
> Bypassing access permissions : 37
> ==================================
> This occured the most and can vary from light information leakage (node
> title) to entire nodes. All database queries extracting information from
> node, comments and taxonomy should be passed through db_rewrite_sql. This
> function ensures that only those authorized can access a node.
>
> There were also a number of snippets that implement administrator
> functionality that should ideally be enclosed in the proper user_access
> checks. For example, viewing the logs; it's hard to hide such pages for
> google.
>
> (The numbers do not add up because some snippets contain a permission
> bypass and a potential XSS vulnerability)
>
>
>
> Chx wrote a small page on the three most common problems:
> http://drupal.org/node/62304; this is a brand new page and could use some
> love and attention. Steven wrote a page on XSS titled 'How to handle text
> in a secure fashion' earlier. This can be found at
> http://drupal.org/node/28984
>
> Here's a paraphrased quote from Chx's page:
>
> So, three kind of errors you need to avoid:
> - XSS with proper checking
> - SQL injections with proper db_query usage
> - node access bypass by utilizing db_rewrite_sql.
>
> Regards,
>
> Heine
>
> PHP page snippets:
>
> Unpublished because no db_rewrite_sql (27)
> ==========================================
> http://drupal.org/node/39825
> http://drupal.org/node/37767  (SQL also fishy)
> http://drupal.org/node/55261
> http://drupal.org/node/55559  not sure if this snippet is intended to be
> just a one time tool for admins
> http://drupal.org/node/56235
> http://drupal.org/node/37421  (also XSS)
> http://drupal.org/node/37427
> http://drupal.org/node/31534
> http://drupal.org/node/23232
> http://drupal.org/node/24703
> http://drupal.org/node/24703
> http://drupal.org/node/36953
> http://drupal.org/node/26568
> http://drupal.org/node/31536
> http://drupal.org/node/28626  intended for admins, but doesn't contain
> user_access check
> http://drupal.org/node/56987
> http://drupal.org/node/55551  intended for admin, but requires
> db_rewrite_sql and probably a user_access check
> http://drupal.org/node/34162  (and XSS)
> http://drupal.org/node/36965
> http://drupal.org/node/34331  (and contains instructions how to make SQL
> injection attack possible)
> http://drupal.org/node/47786
> http://drupal.org/node/55792  (and XSS: these ecommerce nodes are usually
>   from admin, still not proper)
> http://drupal.org/node/31964
> http://drupal.org/node/28762
> http://drupal.org/node/57541  (and XSS)
> http://drupal.org/node/40122  This code is used to make drupal.orgs
> handbook page
> http://drupal.org/node/34064
>
> Unpublished because of SQL injection (2)
> ====================================
> http://drupal.org/node/34064
> http://drupal.org/node/30286 register globals, variable order & Drupal <
> 4.7
>
> Unpublished because of XSS (6)
> ==============================
> http://drupal.org/node/32272
> http://drupal.org/node/29246
> http://drupal.org/node/25564
> http://drupal.org/node/29352
> http://drupal.org/node/38732
> http://drupal.org/node/32631 this is a page on how to make a module in
> stead of a snippet. The example is insecure
>
> Not certain (counted as ok, still published)
> ===========================================================
> http://drupal.org/node/17144  XSS not sure, this depends on the paypal
> framework
>
> Unpublished because no db_rewrite_sql (10)
> ==========================================
> http://drupal.org/node/33462
> http://drupal.org/node/51033  (but it's probably the intention)
> http://drupal.org/node/55291  (and XSS)
> http://drupal.org/node/4587
> http://drupal.org/node/29722
> http://drupal.org/node/22628  SQL is also not entirely kosher, but passed
> is_numeric
> http://drupal.org/node/7008
> http://drupal.org/node/10563  perhaps intentional
> http://drupal.org/node/21390  only a count
> http://drupal.org/node/20152  mild
>
> Unpublished because of XSS (6)
> ==============================
> http://drupal.org/node/57027
> http://drupal.org/node/52996  aggregator not sure if XSS would pass
> xml_parser though
> http://drupal.org/node/17272
> http://drupal.org/node/20165
> http://drupal.org/node/45164
> http://drupal.org/node/17450
> --
> Pending work: http://drupal.org/project/issues/documentation/
> List archives: http://lists.drupal.org/pipermail/documentation/
>

More information about the documentation mailing list