Transition Technology: Ticket Query

#758: * Advisory ID: DRUPAL-SA-CORE-2014-003

paul — Wed, 16 Jul 2014 21:55:29 GMT

View online: https://www.drupal.org/SA-CORE-2014-003

Advisory ID: DRUPAL-SA-CORE-2014-003
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-July-16
Security risk: Critical [2]
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

.... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability.

.... Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField? [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField? - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

.... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

.... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

/A CVE identifier [5] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.32.
Drupal core 7.x versions prior to 7.29.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.32. [6]
If you use Drupal 7.x, upgrade to Drupal core 7.29. [7]

Also see the Drupal core [8] project page.

The denial of service vulnerability using malicious HTTP Host headers was

reported by Régis Leroy [9].

The access bypass vulnerability in the File module was reported by Ivan

Ch [10].

The cross-site scripting vulnerability with Form API option groups was

reported by Károly Négyesi [11].

The cross-site scripting vulnerability in the Ajax system was reported by

mani22test [12].

The denial of service vulnerability using malicious HTTP Host headers was

fixed by Régis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team.

The access bypass vulnerability in the File module was fixed by Nate Haug

[15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19].

The cross-site scripting vulnerability with Form API option groups was

fixed by Greg Knaddison [20] of the Drupal Security Team.

The cross-site scripting vulnerability in the Ajax system was fixed by

Neil Drumm [21] of the Drupal Security Team.

The Drupal Security Team [22]

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23].

Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27]

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#676: Alternative to Skype for TTech Meetings

chris — Tue, 14 Jan 2014 13:33:51 GMT

Jim has pointed out that:

Skype costs us 15-30 minutes of grinding pain every time we do this!

So what are the alternatives and what are our requirements?

#824: Analysis of the 2014 maintenance ticket time

chris — Wed, 07 Jan 2015 15:48:14 GMT

Ed has ask that I spend up to 2 hours on an analysis of the 2014 maintenance ticket time for our meeting tomorrow in Bristol.

#750: Annual update of SSL cert fingerprint for incomming emails to Trac

chris — Thu, 26 Jun 2014 13:42:42 GMT

Laura said she had replied to Trac email today but they didn't get through.

The issues has come up before, see wiki:TransitionTrac#Fetchmail

#893: BOA Cron Jobs

chris — Thu, 24 Dec 2015 11:39:51 GMT

All the BOA cron jobs were stopped on ticket:846#comment:88. This ticket is for looking at them all and deciding which, if any, are needed.

#851: Bot attacks on Transition Culture

chris — Sun, 10 May 2015 11:12:12 GMT

Yesterday there was a load spike on ParrotServer caused by a bot doing thousands of POSTs to xmlrpc.php.

#871: Brute Force Attacks Against WordPress Sites

chris — Mon, 21 Sep 2015 13:41:26 GMT

Today there have been 53,932 attempts to login to the TTT web site on ParrotServer all from the same IP address:

grep POST /home/ttt/logs/access.log | grep wp-login.php | grep 217.174.240.254 | wc -l
53932

I noticed this due the higher than usual load it was generating.

Would it be OK to spend an hour or two installing the WP fail2ban plugin on all the sites on the server?

Some more background on this issue:

https://docs.webarch.net/wiki/WordPress#Brute_Force_Attacks

#894: Brute Force Attacks Against WordPress XMLRPC

chris — Thu, 07 Jan 2016 11:23:51 GMT

For a few months I have see a lot of requests going to WordPress /xmlrpc.php and wasn't sure why, now it is clear:

Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

I'd like to install Stop XML-RPC Attack on all the WordPress site we host, unless anyone has a good reason not to. This plugin simply whitelists the JetPack/Automattic's subnets and blocks all other access to /xmlrpc.php.

I started tracking the abuse a while ago and you can see it and manually address it on ParrotServer like this:

sudo -i
wp-xmlrpc-abuse
IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log:
      2 46.148.XX.XX
    733 195.62.53.243
    177 195.62.53.243
      2 66.76.XX.XX
dig -x 195.62.53.243 +short
  53-243.static.spheral.ru.
ipdrop 195.62.53.243

But we need to be more pro-active in blocking access or we are going to probably see some compromised sites.

#738: Change 'ben' account to have Ben Jarlett as owner

ed — Tue, 10 Jun 2014 09:14:06 GMT

Chris: change the ‘ben’ account’s password Chris; change the ‘ben’ account to have 'emailme@…’ as the p.o.c. Chris? Ben?: change the ‘benj’ account to have ‘web project@…’ as the p.o.c. and Ed to forward anything vital if/when it comes up ALL to use only ‘ben’

#692: Debian Updates

chris — Tue, 25 Feb 2014 15:16:17 GMT

This is a ticket to track debian upgrades to the wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer the time they take.

See:

These updates are generally done using the wiki:AptitudeUpdateScript and this records all the changes in the /root/Changelog and then the contents of the Changelog are pasted into the ticket to document the upgrade.

This ticket took over from ticket:218 on 2014-02-25.

#541: Documentation of the WordPress sites

chris — Wed, 01 May 2013 20:25:57 GMT

These pages have been created for the documentation of the wiki:WordPress sites running on wiki:PenguinServer:

So far they only have a listing on the plugins for each site.

Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting.

Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else.

#875: Free HTTPS certificates from Let's Encrypt

chris — Mon, 05 Oct 2015 10:48:11 GMT

From mid November 2015 Let's Encrypt should be live, providing free SSL/TLS certificates. Currently the TN pays for a Gandi wild card cert, costing £130.50 a year, in addition most the WordPress sites on ParrotServer don't have certs due to the cost, see ticket:540.

The Let's Encrypt code is designed to be set up to run automatically -- certs are only valid for 90 days and the automatic renewal process runs when the cert is 60 days old.

We should consider if we want to use Let's Encrypt and what things would need to be put in place to use it, the wild card cert is due to expire on 22/01/16.

PuffinServer -- are we still going to be running PuffinServer in January 2016? Is there any chance that we might be able to consider the suggestions in ticket:754#comment:61? I'm not sure if I want to spend time trying to get Let's Encrypt working with a old version of BOA, up to date versions of BOA might support it out of the box.
PenguinServer -- this site hosts a lot of sites, see the listing, automating Let's Encrypt would probably be a hour or two of work, it might makes sense to upgrade it to Debian Jessie at the same time.
ParrotServer -- I suggest we rebuild this server from scratch, this would enable it to have the latest version of the Webarch Secure Hosting scripts and this include support for fail2ban for WordPress and phpMyAdmin, thus solving ticket:871 and includes automatic provisioning of Let's Encrypt certs for sites.

What do people think?

#898: Fwd: Access to Drupal

ade — Tue, 26 Jan 2016 17:35:05 GMT

Hi Chris,
The web team at the development agency are requesting access to the
webserver so that they can look at the sites make up.
(Please see below)
Would you please set up an account so that they can get root read access?
I guess this would be done via FTP, but your thoughts greatly appreciated.
best regards
Ade
---------- Forwarded message ----------
From: Ainslie Beattie <ainsliebeattie@transitionnetwork.org>
Date: 26 January 2016 at 17:25
Subject: Fwd: Access to Drupal
To: Sam Rossiter <samrossiter@transitionnetwork.org>, Ade Stuart <
adestuart@transitionnetwork.org>, Yvonne Struthers <yvonne@thisisyoke.com>
Hey both, can you please action this urgently so that Yoke can have access.
Cheers
---------- Forwarded message ----------
From: "Yvonne Struthers" <yvonne@thisisyoke.com>
Date: 26 Jan 2016 10:58
Subject: Access to Drupal
To: <ainsliebeattie@transitionnetwork.org>
Cc:
Hi Ainslie,
Just a quick email as I'm out seeing a client today,but just to say,it
looks like you have only given us access to the database. What we need
please is admin access to the Drupal site and to the code base so that we
can get a sense of how it's all set up.
Thanks in advance!
Yvonne
Sent from my iPhone
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

#716: Heartbleed

chris — Wed, 09 Apr 2014 08:53:58 GMT

Following on from ticket:692#comment:18 we should undertake the steps Drupal have taken: https://drupal.org/news/2014-04-08-security-update

#806: IIRS pre-beta usability issues

chris — Mon, 10 Nov 2014 21:30:27 GMT

Ticket to track usability issues etc.

#904: Issues to consider in the migration from Drupal to WordPress

chris — Fri, 19 Feb 2016 10:41:04 GMT

A few weeks ago Ade said he though it would be worth me opening a ticket to use to flag up some issues to be considered in the migration of the Transition Network site from Drupal 6 to WordPress.

#903: Large load spike on PuffinServer

chris — Mon, 08 Feb 2016 08:46:37 GMT

There was a large load spike this morning on PuffinServer, which appears to have been caused by 12k requests for pages (Nginx doesn't log requests for anything other than PHP generated pages) from one IP address, this IP address has been blocked and I'll post some details below.

#899: Managing security after Feb 24th, 2016.

paul — Thu, 28 Jan 2016 15:22:28 GMT

Hello,

Just did some research to check how we will manage security after Feb 24th, 2016.

A small group of vendors (approved by the security team) will provide patches for core and some of the most commonly used contributed modules, that are used on their client websites. Security patches will be put in the Git repo for the D6LTS project on Drupal.org, and will be announced in the issue queue. We will just need to monitor this issue queue and apply any security patches.

However, these vendors will not be supporting ALL contributed modules. Each of the vendors will be maintaining lists, and providing them to the Drupal Security Team so they know which issues to include them on. With this in mind shall we send a copy of our list of contributed modules to each of the vendor companies and ask them to provide us with a list of our modules that they are currently not supporting? We can then decide how we should support the modules that are not supported by the vendors.

Best, Paul

#731: Meetings in maintenance

chris — Fri, 23 May 2014 10:47:39 GMT

Ticket to record time spent on Skype call on 22nd May 2014.

#925: Piwik 2.16.3

chris — Mon, 03 Oct 2016 10:25:36 GMT

The Changelog contains:

Security release

This release is rated critical.

The Piwik security engineering team has internally identified a critical security issue and has fixed it in Piwik 2.16.3. We recommend all users to upgrade to this latest version.

Database upgrade

Note: This release contains major database upgrades and upgrading your database will take a long time if you have a lot of data in your database.

Please make sure you read the Update Piwik guide for high traffic instances.

#764: Policy decisions re-assessment on BOA and Drupal security updates

annesley — Tue, 22 Jul 2014 14:10:38 GMT

on-line meeting 5 / August @ 14:00 GMT: we are phasing out the current D6 / BOA system. the new system may not use either. The TN.org website is not attractive to high level hackers or DOS attacks.

what are the risks with cancelling all further Unix, BOA and Drupal updates completely that do not allow direct un-mitigated access to the backend via bad PHP code / SQL?

#757: Research and Design for TNv3

ed — Fri, 11 Jul 2014 13:36:54 GMT

R&D for TNv3

#763: Server Backups

chris — Mon, 21 Jul 2014 17:09:21 GMT

Two weeks ago annesley asked:

what off-site data storage, file backup and quick setup do we have?

I answered:

The 3 virtual servers have their file system mounted off a BSD/NFS/ZFS file server and the whole file system is backed up and stored onto another BSD/ZFS server in the same data centre. We did have backups also being copied to a server in Manchester but this is currently off-line as the Manchester server needs a disk swapping and rebuilding as a BSD/ZFS server.

A problem with this is that it's only me and Alan that have access to these backups, so I'd like to suggest I set up a new account for backups on our backup server and sort out cron jobs to rsync data to this account and document how people can access these backups.

The result would be that everybody would have SFTP access to 60 days worth of snapshots of backups from all three servers whenever needed without any need for my or Alan's intervention.

I expect this would take abount an hour to set up and another hour to document and help people understand it.

There would be no additional cost to the TN because backup space is already paid for.

#924: Sheffield Server Shutdown Timetable?

chris — Mon, 05 Sep 2016 08:46:27 GMT

Since www.transitionnetwork.org is now running on dedi2835.your-server.de there seems little point in the Transition Network continuing to pay for the PuffinServer and my time doing sysadmin updates on it?

If the Transition Network would like Webarchitects to shutdown and delete this server and all it's backups could you please let me know when you would like it doing?

I guess the same goes for PenguinServer and ParrotServer, though these servers still have live sites on them, including this Trac site that I use to keep track of time worked -- when PenguinServer is shutdown I will no longer have a public place to document the time I work for the Transition Network and all the server and site documentation from the last six years will be lost.

#919: Site offline

chris — Thu, 14 Jul 2016 18:17:26 GMT

The https://www.transitionnetwork.org/ site has been "off-line" since about 7pm, I see that Paul is logged on via ssh -- is this something that we should worry about or is this intentional?

#881: Site on ParrotServer with a memory leak?

chris — Fri, 23 Oct 2015 11:19:04 GMT

It appears a site, or application, on ParrotServer might have a memory leak.

#662: Subscriptions' links in text emails breaking

ed — Tue, 17 Dec 2013 15:37:13 GMT

for January - to get Sam and Jim talking - in January

The subs sent out to subscribers: are fine in html but the text version is broken and unsatisfactory. I know we've been through this and it's a known bug etc. etc. but I'm wondering if we can switch all subs to html, or if there are any patches to this problem?

Adding as Jim's ticket with Sam cc-ed

#907: TN Drupal database size

chris — Wed, 02 Mar 2016 10:20:10 GMT

6 weeks ago the datadase dump was 447M, see trac:ticket/896#comment:3 but now it is 1.8G:

ls -lah /var/backups/mysql/sqldump/transitionnetw_0.sql
-rw------- 1 root root 1.8G Mar  2 01:23 /var/backups/mysql/sqldump/transitionnetw_0.sql

Anyone have any idea what happened to cause this? Are we keeping too many log entries?

#905: TN site down due to redis not running

chris — Thu, 25 Feb 2016 10:28:40 GMT

I'm working on this...

#582: TN.org platform and sites

jim — Mon, 02 Sep 2013 09:30:02 GMT

The TN.org platform and Drupal site updates are to be tracked in this ticket.

Current PROD platform build = P009 Current STG platform build = S010

Updates pending:

SECURITY UPDATE - NO RISK: Pressflow core 6.30 is due, but the security holes fixed do not affect us, low priority. Platforms: present in S010, but not in P009.

#719: Transition Culture HTML Problems

chris — Mon, 14 Apr 2014 20:07:09 GMT

If you look at old Transition Culture articles they had hyperlinks and blockquotes, for example:

https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

If you look at the version we now have this formatting has been lost and the first paragraph is a mess:

http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

The formatting wasn't lost when the new TC design was first deployed:

https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

It has happened since then.

We should consider investigating what caused the problems and how they can be fixed?

This might be a task that Simon would be best placed to undertake?

#847: Upgrade Servers to Debian Jessie

chris — Mon, 27 Apr 2015 09:30:11 GMT

The latest version of Debian, Jessie, 8.0, came out over the weekend, we should consider upgrading the three servers, PuffinServer, PenguinServer and ParrotServer and what issues would arrise when we do.

See the documentation on Upgrades from Debian 7 (wheezy) and Issues to be aware of for jessie, specifically:

#646: Users denied access when trying to unsubscrbie

ed — Thu, 12 Dec 2013 10:16:23 GMT

I'm getting noticeably more complaints about users not being able to unsubscribe to email notifications for content or comment alerts and/or the newsletter.

The emerging pattern is that they are clicking on the unsubscribe link in their email alerts and going to an access denied page.

My sense says there's something in https/http? Or them not being logged in?

Something is definitely going on.

Adding this to Sam to pick up in January. SAM - tickets like this can bounce around the tech team a bit - stay on it!

#741: Views editor disappears in backend

annesley — Thu, 12 Jun 2014 10:42:13 GMT

admin > views > edit the view editor interface appears and then disappears immediately this happens in Chrome / Ubuntu and Firefox / Mac

#809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

paul — Wed, 19 Nov 2014 21:35:25 GMT

View online: https://www.drupal.org/SA-CORE-2014-006

Advisory ID: DRUPAL-SA-CORE-2014-006
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-November-19
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities

.... Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

.... Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

/A CVE identifier [4] will be requested, and added upon issuance, in accordance

with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.34.
Drupal core 7.x versions prior to 7.34.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]

Also see the Drupal core [8] project page.

Session hijacking:

Aaron Averill [9]

Denial of service:

Michael Cullum [10]
Javier Nieto [11]
Andrés Rojas Guerrero [12]

Session hijacking:

Klaus Purer [13] of the Drupal Security Team
David Rothstein [14] of the Drupal Security Team
Peter Wolanin [15] of the Drupal Security Team

Denial of service:

Klaus Purer [16] of the Drupal Security Team
Peter Wolanin [17] of the Drupal Security Team
Heine Deelstra [18] of the Drupal Security Team
Tom Phethean [19]

The Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [24]

#865: synchronisation

annesley — Wed, 15 Jul 2015 13:26:48 GMT

ideas. please query them.

we are synchronising between different data structures: WordPress and Drupal and anything else the plugin is installed on. therefore standard *database level* distributed synchronisation management tools will not be appropriate. this is unfortunate because synchronisation is a big task. however, it is possible that there are some CRUD / REST based sync tools. so: we need an XML abstraction layer (partially done already) produced by the Drupal, Wordpress, etc. plugin that is standardised and can then be compared and synced via standard API calls.

Steps:

new Transition Town registration on server A notify server B that there is new data and send the GUID of this new data server B then requests only the new data from server A (incremental) using the GUID server B creates the new item in it's database with a new native ID using the abstraction layer in it's plugin / module

addtions to this universal data pool, e.g. a new Transition Town, will be propagated via a network sync request at point of addition. "listener servers" will then request the new data (incremental only) and, in turn push that out to all other listeners. each plugin will therefore extend and expose it's CRUD style synchronisation abstraction functions:

add-user add-local-group change-user etc.

many of these are already available as part of the framework-independent plugin / module

currently, i suggest that ALL plugins contain ALL the international user and Transition Town data. passwords and emails, contact info will be handled by a 3rd server, either Mozilla Persona or Open ID. user accounts will also be synchronised on to ALL plugins but without passwords as those are held on the 3rd server. thus far had already been agreed with Ed. but, ofc, can be changed :)

new plugin installations will receive a full complement of data at time of installation. check digits will be periodically shared to check that all data is in-line. all users will be able to register and edit their data on ANY website holding the plugin. TT and USER changes and registrations will then propagate via PUSH notifications across the entire network all native IDs will be different. i.e. TT Brixton will have a different ID on each server. thus, as always with synchronissation, all IDs will be transformed to GUIDs by the abstraction API and only GUIDs will be used to analyse the network of data and synchronisation. login to any website containing the plugin will be transparent (unlike the demo i set up) through the normal wordpress and drupal login screens. the plugin will intercept failed authentication and attempt to authenticate against the universal servers. new accounts created via universal registration on any server will have a framework specific configurable role and thus permissions on that server will be set by the administrator specific to that server.