Mad Irish

Brute Forcing Drupal

Drupal sites typically grant elevated privileges to authenticated users and special privileges to site administrators. If an attacker can compromise account credentials to a Drupal site then they can easily elevate their privileges, perhaps gaining the ability to write arbitrary HTML or even PHP. Once an attacker compromises a valid Drupal account they can begin to leverage their new access to do more damage to the target site, perhaps even to hijack the entire web server process. Drupal uses form posts with predictable formats for user authentication and no defensive measures to prevent a brute force, or password guessing, attack. Furthermore, some Drupal sites facilitate the easy capture of user accounts for the creation of a targeted user list to increase the likelihood of a successful brute force attack.

• Monitoring Drupal for Insecure Settings
• Exploiting PHP PCRE Functions
• PHP Null Byte Poisoning
• Writing OSSEC Custom Rules and Decoders
• PHP Arbitrary File Include
• Using the Google Safe Browsing API from PHP
• Using SQLMap for Automated Vulnerability Assessment
• LAMP Security Through Virtualization
• Using and Extending Kojoney SSH Honeypot
• Defending Web Applications with PHPIDS

Thinking Security

Security vulnerability in code may be a permanent reality. Given the average number of bugs in software, and the moving state of security, it may be impossible to produce secure software. Added to this crisis is the fact that software is deployed on systems that are increasingly permanently connected to the network. This constant connection means a persistent, global threat. Traditional defences such as firewalls are increasingly proving useless at mitigating this threat. This situation leads us to question whether current security paradigms are working. What can the information security community do to combat a persistent, and growing, problem of vulnerable software being exposed to attack?

Exploiting Drupal Node2Node XSS Vulnerability

The Drupal Node2Node module was recently flagged by the Drupal security team as insecure and unmaintained (http://drupal.org/node/572852). The module was subsequently unpublished by Drupal, removing it from the main site downloads. This means that the module is no longer supported by Drupal. The Drupal security team announcement did not specify what vulnerabilities were contained within the Node2Node module, but a quick glance at the code and some testing quickly reveals a cross site scripting (XSS) vulnerability in the Node2Node module. To exploit the vulnerability simply follow the proof of concept steps below: